Resumption of operations following failover in connection with triangular asynchronous replication

ABSTRACT

Handling failure of a primary group at a first data center that is part of plurality of data centers providing triangular asynchronous replication includes creating a data mirroring relationship between at least one storage volume at a second data center having a synchronous backup group that is part of the plurality of data centers and at least one storage volume at a third data center having an asynchronous backup group that is part of the plurality of data centers and resuming work at the third data center. Handling failure of a primary group at a first data center may also include synchronizing the at least one storage volume at the second data center with the at least one storage volume at the third data center prior to resuming work at the third data center.

BACKGROUND OF THE INVENTION

1. Technical Field

This application relates to computer storage devices, and moreparticularly to the field of transferring data between storage devices.

2. Description of Related Art

Host processor systems may store and retrieve data using a storagedevice containing a plurality of host interface units (host adapters),disk drives, and disk interface units (disk adapters). Such storagedevices are provided, for example, by EMC Corporation of Hopkinton,Mass. and disclosed in U.S. Pat. No. 5,206,939 to Yanai et al., U.S.Pat. No. 5,778,394 to Galtzur et al., U.S. Pat. No. 5,845,147 toVishlitzky et al., and U.S. Pat. No. 5,857,208 to Ofek. The host systemsaccess the storage device through a plurality of channels providedtherewith. Host systems provide data and access control informationthrough the channels to the storage device and the storage deviceprovides data to the host systems also through the channels. The hostsystems do not address the disk drives of the storage device directly,but rather, access what appears to the host systems as a plurality oflogical disk units. The logical disk units may or may not correspond tothe actual disk drives. Allowing multiple host systems to access thesingle storage device unit allows the host systems to share data storedtherein.

In some instances, it may be desirable to copy data from one storagedevice to another. For example, if a host writes data to a first storagedevice, it may be desirable to copy that data to a second storage deviceprovided in a different location so that if a disaster occurs thatrenders the first storage device inoperable, the host (or another host)may resume operation using the data of the second storage device. Such acapability is provided, for example, by the Remote Data Facility (RDF)product provided by EMC Corporation of Hopkinton, Massachusetts. WithRDF, a first storage device, denoted the “primary storage device” (or“R1”) is coupled to the host. One or more other storage devices, called“secondary storage devices” (or “R2”) receive copies of the data that iswritten to the primary storage device by the host. The host interactsdirectly with the primary storage device, but any data changes made tothe primary storage device are automatically provided to the one or moresecondary storage devices using RDF. The primary and secondary storagedevices may be connected by a data link, such as an ESCON link, a FibreChannel link, and/or a Gigabit Ethernet link. The RDF functionality maybe facilitated with an RDF adapter (RA) provided at each of the storagedevices.

RDF allows synchronous data transfer where, after data written from ahost to a primary storage device is transferred from the primary storagedevice to a secondary storage device using RDF, receipt is acknowledgedby the secondary storage device to the primary storage device which thenprovides a write acknowledge back to the host. Thus, in synchronousmode, the host does not receive a write acknowledge from the primarystorage device until the RDF transfer to the secondary storage devicehas been completed and acknowledged by the secondary storage device.

A drawback to the synchronous RDF system is that the latency of each ofthe write operations is increased by waiting for the acknowledgement ofthe RDF transfer. This problem is worse when there is a long distancebetween the primary storage device and the secondary storage device;because of transmission delays, the time delay required for making theRDF transfer and then waiting for an acknowledgement back after thetransfer is complete may be unacceptable.

It is also possible to use RDF in an a semi-synchronous mode, in whichcase the data is written from the host to the primary storage devicewhich acknowledges the write immediately and then, at the same time,begins the process of transferring the data to the secondary storagedevice. Thus, for a single transfer of data, this scheme overcomes someof the disadvantages of using RDF in the synchronous mode. However, fordata integrity purposes, the semi-synchronous transfer mode does notallow the primary storage device to transfer data to the secondarystorage device until a previous transfer is acknowledged by thesecondary storage device. Thus, the bottlenecks associated with usingRDF in the synchronous mode are simply delayed by one iteration becausetransfer of a second amount of data cannot occur until transfer ofprevious data has been acknowledged by the secondary storage device.

Another possibility is to have the host write data to the primarystorage device in asynchronous mode and have the primary storage devicecopy data to the secondary storage device in the background. Thebackground copy involves cycling through each of the tracks of theprimary storage device sequentially and, when it is determined that aparticular block has been modified since the last time that block wascopied, the block is transferred from the primary storage device to thesecondary storage device. Although this mechanism may attenuate thelatency problem associated with synchronous and semi-synchronous datatransfer modes, a difficulty still exists because there can not be aguarantee of data consistency between the primary and secondary storagedevices. If there are problems, such as a failure of the primary system,the secondary system may end up with out-of-order changes that make thedata unusable.

A proposed solution to this problem is the Symmetrix AutomatedReplication (SAR) process, which is described in U.S. Published PatentApplications 20040039959 and 20040039888, both of which are incorporatedby reference herein. The SAR uses devices (BCV's) that can mirrorstandard logical devices. A BCV device can also be split from itsstandard logical device after being mirrored and can be resynced (i.e.,reestablished as a mirror) to the standard logical devices after beingsplit. In addition, a BCV can be remotely mirrored using RDF, in whichcase the BCV may propagate data changes made thereto (while the BCV isacting as a mirror) to the BCV remote mirror when the BCV is split fromthe corresponding standard logical device.

However, using the SAR process requires the significant overhead ofcontinuously splitting and resyncing the BCV's. The SAR process alsouses host control and management, which relies on the controlling hostbeing operational. In addition, the cycle time for a practicalimplementation of a SAR process is on the order of twenty to thirtyminutes, and thus the amount of data that may be lost when an RDF linkand/or primary device fails could be twenty to thirty minutes worth ofdata.

Thus, it would be desirable to have an RDF system that exhibits some ofthe beneficial qualities of each of the different techniques discussedabove while reducing the drawbacks. Such a system would exhibit lowlatency for each host write regardless of the distance between theprimary device and the secondary device and would provide consistency(recoverability) of the secondary device in case of failure.

It would also be desirable to be able to combine the benefits obtainedfrom synchronous RDF transfers and asynchronous RDF transfers so thatup-to-date backup data may be provided on a J0 remote device that isrelatively close (geographically) to a source device while, at the sametime, backup data may also be provided to a backup device that isrelatively far from the source device. It would also be desirable ifsuch a system provided for appropriate data recovery among the backupdevices.

SUMMARY OF THE INVENTION

According to the present invention, swapping a primary group at a firstdata center and a synchronous backup group at a second data center wheretriangular asynchronous replication is being provided using the primarygroup, the synchronous backup group, and an asynchronous backup group ata third data center, includes halting work at the first data center,transferring pending mirrored data from the first data center to thethird data center, creating a data mirroring relationship between atleast one storage volume at the second data center and at least onestorage volume at the third data center, reversing a data mirroringrelationship between the at least one storage volume at the first datacenter and at least one storage volume at the second data center, andresuming work at the second data center, where writes to the at leastone storage volume at the second data center are mirrored synchronouslyto the at least one storage volume at the first data center and aremirrored asynchronously to the at least one storage volume at the thirddata center. Prior to resuming work at the second data center, the atleast one storage volume at the second data center may be synchronizedwith the at least one storage volume at the third data center. Swappinga primary group at a first data center and a synchronous backup group ata second data center may also include initiating multisession control atthe second data center prior to resuming work at the second data centerand after the at least one storage volume at the second data center issynchronized with the at least one storage volume at the third datacenter. The at least one storage volume at the second data center may besynchronized with the at least one storage volume at the third datacenter after resuming work at the second data center. Swapping a primarygroup at a first data center and a synchronous backup group at a seconddata center may also include, after resuming work at the second datacenter, determining when at least one storage volume at the second datacenter is synchronized with the at least one storage volume at the thirddata center. Swapping a primary group at a first data center and asynchronous backup group at a second data center may also includeinitiating multisession control at the second data center after the atleast one storage volume at the second data center is synchronized withthe at least one storage volume at the third data center. Swapping aprimary group at a first data center and a synchronous backup group at asecond data center may also include, after transferring pending mirroreddata from the first data center to the third data center and prior toresuming work at the second data center, making a local copy of data atthe first data center. Swapping a primary group at a first data centerand a synchronous backup group at a second data center may also include,after transferring pending mirrored data from the first data center tothe third data center and prior to resuming work at the second datacenter, making a local copy of data at the second data center and at thethird data center.

According further to the present invention, swapping a primary group ata first data center and an asynchronous backup group at a third datacenter where triangular asynchronous replication is being provided usingthe primary group, the asynchronous backup group, and a synchronousbackup group at a second data center, includes halting work at the firstdata center, transferring pending mirrored data from the first datacenter to the third data center, creating a data mirroring relationshipbetween at least one storage volume at the third data center and atleast one storage volume at the second data center, and resuming work atthe third data center, wherein writes to the at least one storage volumeat the third data center are mirrored asynchronously to the at least onestorage volume at the first data center. Prior to resuming work at thethird data center, the at least one storage volume at the second datacenter may be synchronized with the at least one storage volume at thethird data center. Swapping a primary group at a first data center andan asynchronous backup group at a third data center may also includereversing a data mirroring relationship between at least one storagevolume at the first data center and the at least one storage volume atthe third data center. Swapping a primary group at a first data centerand an asynchronous backup group at a third data center may also includeaccumulating mirrored data at the first data center for subsequentrestoration of the primary group at the first data center. Swapping aprimary group at a first data center and an asynchronous backup group ata third data center may also include initiating multisession control atthe third data center prior to resuming work at the third data centerand after the at least one storage volume at the third data center issynchronized with the at least one storage volume at the second datacenter. Swapping a primary group at a first data center and anasynchronous backup group at a third data center may also include, aftertransferring pending mirrored data from the first data center to thethird data center and prior to resuming work at the third data center,making a local copy of data at the first data center. Swapping a primarygroup at a first data center and an asynchronous backup group at a thirddata center may also include, after transferring pending mirrored datafrom the first data center to the third data center and prior toresuming work at the third data center, making a local copy of data atthe second data center and at the third data center.

According further to the present invention, computer software, in acomputer storage medium, that swaps a primary group at a first datacenter with one of: a synchronous backup group at a second data centerand an asynchronous backup group at a third data center, where theprimary group, the synchronous backup group, and the asynchronous backupgroup are providing triangular asynchronous replication at least priorto the swap, includes executable code that halts work at the first datacenter, executable code that transfers pending mirrored data from thefirst data center to the third data center, executable code that createsa data mirroring relationship between at least one storage volume at thesecond data center and at least one storage volume at the third datacenter, executable code that reverses a data mirroring relationshipbetween the at least one storage volume at the first data center and atleast one storage volume at the second data center if the primary groupis being swapped with the synchronous backup group, executable code thatresumes work at the second data center if the primary group is beingswapped with the synchronous backup group, wherein writes to the atleast one storage volume at the second data center are mirroredsynchronously to the at least one storage volume at the first datacenter and are mirrored asynchronously to the at least one storagevolume at the third data center, and executable code that resumes workat the third data center if the primary group is being swapped with theasynchronous backup group, where writes to the at least one storagevolume at the third data center are mirrored asynchronously to the atleast one storage volume at the second data center. The computersoftware may also include executable code that reverses a data mirroringrelationship between at least one storage volume at the first datacenter and the at least one storage volume at the third data center ifthe primary group is being swapped with the asynchronous backup group.The computer software may also include executable code that initiatesmultisession control prior to resuming work and after the at least onestorage volume at the third data center is synchronized with the atleast one storage volume at the second data center. The computersoftware may also include executable code that makes a local copy ofdata at the first data center after transferring pending mirrored datafrom the first data center to the third data center and prior toresuming work. The computer software may also include executable codethat makes a local copy of data at the second data center and the thirddata center after transferring pending mirrored data from the first datacenter to the third data center and prior to resuming work.

According further to the present invention, handling failure of aprimary group at a first data center that is part of plurality of datacenters providing triangular asynchronous replication, includes creatinga data mirroring relationship between at least one storage volume at asecond data center having a synchronous backup group that is part of theplurality of data centers and at least one storage volume at a thirddata center having an asynchronous backup group that is part of theplurality of data centers and resuming work at the second data center.Handling failure of a primary group at a first data center may alsoinclude synchronizing the at least one storage volume at the second datacenter with the at least one storage volume at the third data centerprior to resuming work at the second data center. Handling failure of aprimary group at a first data center may also include waiting forconsistency between the at least one storage volume at the second datacenter and the at least one storage volume at the third data centerafter resuming work at the second data center. Handling failure of aprimary group at a first data center may also include, prior to creatinga data mirroring relationship between at least one storage volume at thesecond data center and at least one storage volume at a third datacenter, making a local copy of data at the second data center and thethird data center. Handling failure of a primary group at a first datacenter may also include performing a half swap operation on a datamirroring relationship between the at least one storage volume at thesecond data center and a corresponding at least one storage volume atthe first data center, wherein the half swap operation causes the atleast one storage volume at the second data center to reverse adirection of data mirroring irrespective of cooperation from thecorresponding at least one storage volume first data center. The atleast one storage volume at the second data center may accumulate datathat may be transferred to the first data center if the first datacenter becomes operational. Handling failure of a primary group at afirst data center may also include performing a half delete operation ona data mirroring relationship between the at least one storage volume atthe third data center and a corresponding at least one storage volume atthe first data center, wherein the half delete operation causes the atleast one storage volume at the third data center to remove a datamirroring relationship with the at least one storage device at the firstdata center irrespective of cooperation from the corresponding at leastone storage volume at the first data center.

According further to the present invention, computer software, in acomputer readable medium, that handles failure of a primary group at afirst data center that is part of plurality of data centers providingtriangular asynchronous replication, includes executable code thatcreates a data mirroring relationship between at least one storagevolume at a second data center having a synchronous backup group that ispart of the plurality of data centers and at least one storage volume ata third data center having an asynchronous backup group that is part ofthe plurality of data centers and executable code that causes work to beresumed at the second data center. The computer software may alsoinclude executable code that synchronizes the at least one storagevolume at the second data center with the at least one storage volume atthe third data center prior to resuming work at the second data center.The computer software may also include executable code that waits forconsistency between the at least one storage volume at the second datacenter and the at least one storage volume at the third data centerafter work is resumed at the second data center. The computer softwaremay also include executable code that makes a local copy of data at thesecond data center and the third data center prior to creating a datamirroring relationship between at least one storage volume at the seconddata center and at least one storage volume at a third data center. Thecomputer software may also include executable code that performs a halfswap operation on a data mirroring relationship between the at least onestorage volume at the second data center and a corresponding at leastone storage volume at the first data center, wherein the half swapoperation causes the at least one storage volume at the second datacenter to reverse a direction of data mirroring irrespective ofcooperation from the corresponding at least one storage volume firstdata center. The at least one storage volume at the second data centermay accumulate data that may be transferred to the first data center ifthe first data center becomes operational. The computer software mayalso include executable code that performs a half delete operation on adata mirroring relationship between the at least one storage volume atthe third data center and a corresponding at least one storage volume atthe first data center, wherein the half delete operation causes the atleast one storage volume at the third data center to remove a datamirroring relationship with the at least one storage device at the firstdata center irrespective of cooperation from the corresponding at leastone storage volume at the first data center.

According further to the present invention, modifying a data mirroringrelationship between a first volume and a second volume includes issuinga command to first one of the volumes to modify the data mirroringrelationship without communicating with the second one of the volumesand the first one of the volumes being reconfigured according to thecommand independent of the second volume. The command may cause thefirst volume to delete the data mirroring relationship between the firstvolume and the second volume. The command may cause the first volume toreverse a data mirroring direction between the first volume and thesecond volume. The command may be issued in connection with resumingoperation of a primary group when a data center associated with thesecond volume has failed.

According further to the present invention, handling failure of aprimary group at a first data center that is part of plurality of datacenters providing triangular asynchronous replication includes creatinga data mirroring relationship between at least one storage volume at asecond data center having a synchronous backup group that is part of theplurality of data centers and at least one storage volume at a thirddata center having an asynchronous backup group that is part of theplurality of data centers and resuming work at the third data center.Handling failure of a primary group at a first data center may alsoinclude synchronizing the at least one storage volume at the second datacenter with the at least one storage volume at the third data centerprior to resuming work at the third data center. Handling failure of aprimary group at a first data center may also include waiting forconsistency between the at least one storage volume at the second datacenter and the at least one storage volume at the third data centerafter resuming work at the third data center. Handling failure of aprimary group at a first data center may also include, prior to creatinga data mirroring relationship between at least one storage volume at thesecond data center and at least one storage volume at a third datacenter, making a local copy of data at the second data center and thethird data center. Handling failure of a primary group at a first datacenter may also include performing a half swap operation on a datamirroring relationship between the at least one storage volume at thethird data center and a corresponding at least one storage volume at thefirst data center, wherein the half swap operation causes the at leastone storage volume at the third data center to reverse a direction ofdata mirroring irrespective of cooperation from the corresponding atleast one storage volume first data center. At least one storage volumeat the third data center may accumulate data that may be transferred tothe first data center if the first data center becomes operational.Handling failure of a primary group at a first data center may alsoinclude performing a half delete operation on a data mirroringrelationship between the at least one storage volume at the second datacenter and a corresponding at least one storage volume at the first datacenter, wherein the half delete operation causes the at least onestorage volume at the second data center to remove a data mirroringrelationship with the at least one storage device at the first datacenter irrespective of cooperation from the corresponding at least onestorage volume at the first data center.

According further to the present invention, computer software, in acomputer readable medium, that handles failure of a primary group at afirst data center that is part of plurality of data centers providingtriangular asynchronous replication, includes executable code thatcreates a data mirroring relationship between at least one storagevolume at a second data center having a synchronous backup group that ispart of the plurality of data centers and at least one storage volume ata third data center having an asynchronous backup group that is part ofthe plurality of data centers and executable code that causes work to beresumed at the third data center. The computer software may also includeexecutable code that synchronizes the at least one storage volume at thesecond data center with the at least one storage volume at the thirddata center prior to resuming work at the third data center. Thecomputer software may also include executable code that waits forconsistency between the at least one storage volume at the second datacenter and the at least one storage volume at the third data centerafter work is resumed at the third data center. The computer softwaremay also include executable code that makes a local copy of data at thesecond data center and the third data center prior to creating a datamirroring relationship between at least one storage volume at the seconddata center and at least one storage volume at a third data center. Thecomputer software may also include executable code that performs a halfswap operation on a data mirroring relationship between the at least onestorage volume at the third data center and a corresponding at least onestorage volume at the first data center, wherein the half swap operationcauses the at least one storage volume at the third data center toreverse a direction of data mirroring irrespective of cooperation fromthe corresponding at least one storage volume first data center. Atleast one storage volume at the third data center may accumulate datathat may be transferred to the first data center if the first datacenter becomes operational. The computer software may also includeexecutable code that performs a half delete operation on a datamirroring relationship between the at least one storage volume at thesecond data center and a corresponding at least one storage volume atthe first data center, wherein the half delete operation causes the atleast one storage volume at the second data center to remove a datamirroring relationship with the at least one storage device at the firstdata center irrespective of cooperation from the corresponding at leastone storage volume at the first data center.

According further to the present invention, a data storage systemincludes a first data center having at least one storage device, asecond data center, coupled to the first data center, having at leastone storage device, and a third data center, coupled to the first andsecond data centers, having at least one storage device, where the datacenters cooperate to provide triangular asynchronous replication with aprimary group being initially located at the first data center, asynchronous backup group being located at the second data center, and anasynchronous backup group being located at the third data center andwhere, in response to a failure of the first data center, executablecode creates a data mirroring relationship between the at least onestorage volume at the second data center and the at least one storagevolume at the third data center and causes work to be resumed at thethird data center. Additional executable code may synchronize the atleast one storage volume at the second data center with the at least onestorage volume at the third data center prior to resuming work at thethird data center. Additional executable code may wait for consistencybetween the at least one storage volume at the second data center andthe at least one storage volume at the third data center after work isresumed at the third data center. Additional executable code may make alocal copy of data at the second data center and the third data centerprior to creating a data mirroring relationship between at least onestorage volume at the second data center and at least one storage volumeat a third data center. Additional executable code may perform a halfswap operation on a data mirroring relationship between the at least onestorage volume at the third data center and a corresponding at least onestorage volume at the first data center, where the half swap operationcauses the at least one storage volume at the third data center toreverse a direction of data mirroring irrespective of cooperation fromthe corresponding at least one storage volume first data center.Additional executable code may perform a half delete operation on a datamirroring relationship between the at least one storage volume at thesecond data center and a corresponding at least one storage volume atthe first data center, wherein the half delete operation causes the atleast one storage volume at the second data center to remove a datamirroring relationship with the at least one storage device at the firstdata center irrespective of cooperation from the corresponding at leastone storage volume at the first data center.

According further to the present invention, resuming triangularasynchronous replication operations between a primary group at a firstdata center, a synchronous backup group at a second data center, and anasynchronous backup group at a third data center, includes stopping workat a data storage device temporarily hosting the primary group at oneof: the second data center and the third data center, configuring datamirroring relationships to provide for synchronous data mirroring fromthe data storage device at the first data center to a data storagedevice at the second data center, configuring data mirroringrelationships to provide for an asynchronous data mirror from the datastorage device at the first data center to a data storage device at thethird data center, and resuming work at the first data center. Resumingtriangular asynchronous replication operations may also includeinitiating synchronization of a data storage device at the first datacenter with the data storage device temporarily hosting the primarygroup. Resuming triangular asynchronous replication operations may alsoinclude completing pending data write operations associated with anasynchronous data mirror used by the data storage device temporarilyhosting the primary group prior to initiating synchronization. Work maybe resumed at the first data center following completion of thesynchronization. Resuming triangular asynchronous replication operationsmay also include, prior to resuming work at the first data center,initiating multisession control at the first data center.

According further to the present invention, resuming triangularasynchronous replication operations between a primary group at a firstdata center, a synchronous backup group at a second data center, and anasynchronous backup group at a third data center following intermittentfailure of a link between the first data center and the second datacenter, includes synchronizing a first storage device at the first datacenter with a second storage device at the second data center, where asynchronous data mirroring relationship is established between the firststorage device and the seconds storage device and resuming multisessioncontrol at the first data center.

According further to the present invention, resuming triangularasynchronous replication operations between a primary group at a firstdata center, a synchronous backup group at a second data center, and anasynchronous backup group at a third data center following intermittentfailure of a link between the first data center and the third datacenter includes providing local copies of a storage device at the seconddata center and a storage device at the third data center, initiatingtransfer of synchronizing data from the storage device at the first datacenter to a storage device at the third data center, resuming a datamirroring relationship from the storage device at the first data centerto the storage device at the third data center, and resumingmultisession control at the first data center. Resuming triangularasynchronous replication operations may also include waiting forsynchronization between the storage device at the first data center withthe storage device at the third data center prior to resumingmultisession control.

According further to the present invention, a computer readable mediumhas computer executable instructions for performing any of the stepsdescribed herein.

According further to the present invention, a system has at least oneprocessor that performs any of the steps described herein.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is a schematic diagram showing a host, a local storage device,and a remote data storage device used in connection with the systemdescribed herein.

FIG. 2 is a schematic diagram showing a flow of data between a host, alocal storage device, and a remote data storage device used inconnection with the system described herein.

FIG. 3 is a schematic diagram illustrating items for constructing andmanipulating chunks of data on a local storage device according to thesystem described herein.

FIG. 4 is a diagram illustrating a data structure for a slot used inconnection with the system described herein.

FIG. 5 is a flow chart illustrating operation of a host adaptor (HA) inresponse to a write by a host according to the system described herein.

FIG. 6 is a flow chart illustrating transferring data from a localstorage device to a remote storage device according to the systemdescribed herein.

FIG. 7 is a schematic diagram illustrating items for constructing andmanipulating chunks of data on a remote storage device according to thesystem described herein.

FIG. 8 is a flow chart illustrating steps performed by a remote storagedevice in connection with receiving 1 a commit indicator from a localstorage device according to the system described herein.

FIG. 9 is a flow chart illustrating storing transmitted data at a remotestorage device according to the system described herein.

FIG. 10 is a flow chart illustrating steps performed in connection witha local storage device incrementing a sequence number according to asystem described herein.

FIG. 11 is a schematic diagram illustrating items for constructing andmanipulating chunks of data on a local storage device according to analternative embodiment of the system described herein.

FIG. 12 is a flow chart illustrating operation of a host adaptor (HA) inresponse to a write by a host according to an alternative embodiment ofthe system described herein.

FIG. 13 is a flow chart illustrating transferring data from a localstorage device to a remote storage device according to an alternativeembodiment of the system described herein.

FIG. 14 is a schematic diagram illustrating a plurality of local andremote storage devices with a host according to the system describedherein.

FIG. 15 is a diagram showing a multi-box mode table used in connectionwith the system described herein.

FIG. 16 is a flow chart illustrating modifying a multi-box mode tableaccording to the system described herein.

FIG. 17 is a flow chart illustrating cycle switching by the hostaccording to the system described herein.

FIG. 18 is a flow chart illustrating steps performed in connection witha local storage device incrementing a sequence number according to asystem described herein.

FIG. 19 is a flow chart illustrating transferring data from a localstorage device to a remote storage device according to the systemdescribed herein.

FIG. 20 is a flow chart illustrating transferring data from a localstorage device to a remote storage device according to an alternativeembodiment of the system described herein.

FIG. 21 is a flow chart illustrating providing an active empty indicatormessage from a remote storage device to a corresponding local storagedevice according to the system described herein.

FIG. 22 is a schematic diagram illustrating a plurality of local andremote storage devices with a plurality of hosts according to the systemdescribed herein.

FIG. 23 is a flow chart illustrating a processing performed by a remotestorage device in connection with data recovery according to the systemdescribed herein.

FIG. 24 is a flow chart illustrating a processing performed by a host inconnection with data recovery according to the system described herein.

FIG. 25 is a schematic diagram showing a storage device, memory, aplurality of directors, and a communication module according to thesystem described herein.

FIG. 26 is a schematic diagram showing a source group, a localdestination, and a remote destination according to the system describedherein.

FIG. 27 is a flow chart illustrating a process performed by a localdestination to initialize data recovery parameters according to thesystem described herein.

FIG. 28A is a flow chart illustrating a process performed by a localdestination in connection with receiving data during non-failure modeaccording to the system described herein.

FIG. 28B is a flow chart illustrating an alternative process that may beperformed by a local destination in connection with receiving dataduring non-failure mode according to the system described herein.

FIG. 28C is a flow chart illustrating an alternative process that may beperformed by a local destination in connection with receiving dataduring non-failure mode according to the system described herein.

FIG. 29 is a flow chart illustrating a process performed by a localdestination to initialize data recovery parameters according to thesystem described herein.

FIG. 30 is a flow chart illustrating a process performed by a remotedestination in connection with collecting failure recovery dataaccording to the system described herein.

FIG. 31 is a flow chart illustrating a process performed in connectionwith failure recovery according to the system described herein.

FIG. 32 is a flow chart illustrating processing performed in connectionwith terminating ordered writes according to the system describedherein.

FIG. 33 is a flow chart illustrating processing performed in connectionwith sending data from a local destination to a remote destinationaccording to the system described herein.

FIG. 34 is a flow chart illustrating a process performed by a localdestination in connection with resetting error recovery parametersaccording to the system described herein.

FIG. 35 is a flow chart illustrating a process performed by a remotedestination in connection with resetting error recovery parametersaccording to the system described herein.

FIG. 36 is a diagram illustrating a configuration of a source groupaccording to the system described herein.

FIG. 37 is a diagram illustrating another configuration of a sourcegroup according to the system described herein.

FIG. 38 is a flow chart illustrating an alternative embodiment fortransferring data from a local storage device to a remote storage deviceaccording to the system described herein.

FIG. 39 is a schematic diagram illustrating items for constructing andmanipulating chunks of data on a remote storage device according to thesystem described herein.

FIG. 40 is a diagram showing a table used to map logical devicelocations to slots containing data received by a remote storage deviceaccording to the system described herein.

FIG. 41 is a diagram showing another embodiment of a table used to maplogical device locations to slots containing data received by a remotestorage device according to the system described herein.

FIG. 42 is a schematic diagram showing a source group, a minimal storagelocal destination, and a remote destination according to an embodimentof the system described herein.

FIG. 43 is a schematic diagram showing data storage at a minimal storagelocal destination according to an embodiment of the system describedherein.

FIG. 44 is a diagram illustrating a data element used for data storageat a minimal storage local destination according to an embodiment of thesystem described herein.

FIG. 45 is a flow chart illustrating steps performed in connection witha minimal storage local destination receiving data according to anembodiment of the system described herein.

FIG. 46 is a flow chart illustrating steps performed in connection witha minimal storage local destination adding data according to anembodiment of the system described herein.

FIG. 47 is a flow chart illustrating steps performed in connection witha minimal storage local destination adding data according to anotherembodiment of the system described herein.

FIG. 48 is a flow chart illustrating steps performed in connection witha minimal storage local destination removing data according to anembodiment of the system described herein.

FIG. 49 is a flow chart illustrating steps performed in connection withdata recovery according to an embodiment of the system described herein.

FIG. 50 is a schematic diagram showing a plurality of source groups andremote destinations coupled to a minimal storage local destinationaccording to another embodiment of the system described herein.

FIG. 51 is a diagram illustrating a system having a primary group, asynchronous backup group, and an asynchronous backup group according tothe system described herein.

FIG. 52 is a flow chart illustrating steps performed in connection witha switchover of a primary group and a synchronous backup group aftersynchronization of the synchronous backup group with the asynchronousbackup group according to the system described herein.

FIG. 53 is a table illustrating correlation of R2 volumes having acommon R1 volume according to the system described herein.

FIG. 54 is a flow chart illustrating correlating R2 volumes having acommon R1 volume according to the system described herein.

FIG. 55 is a flow chart illustrating steps performed in connection witha switchover of a primary group and a synchronous backup group beforesynchronization of the synchronous backup group with the asynchronousbackup group according to the system described herein.

FIG. 56 is a flow chart illustrating steps performed in connection withswitching a primary group to a data center that previously hosted anasynchronous backup group according to the system described herein.

FIG. 57 is a diagram illustrating using a split mirror volume and thenrejoining the split mirror volume according to the system describedherein.

FIG. 58 is a flow chart illustrating a failover where work is restartedat a synchronous backup site after resynchronization of the synchronousand asynchronous backup sites according to the system described herein.

FIG. 59 is a flow chart illustrating a failover where work is restartedat a synchronous backup site before resynchronization of the synchronousand asynchronous backup sites according to the system described herein.

FIG. 60 is a flow chart illustrating a failover where work is restartedat an asynchronous backup site according to the system described herein.

FIG. 61 is a flow chart illustrating resumption of operations after afailover according to the system described herein.

FIG. 62 is a flow chart illustrating recover after failure of a linkbetween a primary group and a synchronous backup group according to thesystem described herein.

FIG. 63 is a flow chart illustrating recover after failure of a linkbetween a primary group and an asynchronous backup group according tothe system described herein.

DETAILED DESCRIPTION OF VARIOUS EMBODIMENTS

Referring to FIG. 1, a diagram 20 shows a relationship between a host22, a local storage device 24 and a remote storage device 26. The host22 reads and writes data from and to the local storage device 24 via ahost adapter (HA) 28, which facilitates the interface between the host22 and the local storage device 24. Although the diagram 20 only showsone host 22 and one HA 28, it will be appreciated by one of ordinaryskill in the art that multiple HA's may be used and that one or moreHA's may have one or more hosts coupled thereto.

Data from the local storage device 24 is copied to the remote storagedevice 26 via an RDF link 29 to cause the data on the remote storagedevice 26 to be identical to the data on the local storage device 24.Although only the one link 29 is shown, it is possible to haveadditional links between the storage devices 24, 26 and to have linksbetween one or both of the storage devices 24, 26 and other storagedevices (not shown). In addition, the link 29 may be provided using adirect connection (wired, over-the-air, or some combination thereof), anetwork (such as the Internet), or any other appropriate means forconveying data. Note that there may be a time delay between the transferof data from the local storage device 24 to the remote storage device26, so that the remote storage device 26 may, at certain points in time,contain data that is not identical to the data on the local storagedevice 24. Communication using RDF is described, for example, in U.S.Pat. No. 5,742,792, which is incorporated by reference herein.

The local storage device 24 includes a first plurality of RDF adapterunits (RA's) 30 a, 30 b, 30 c and the remote storage device 26 includesa second plurality of RA's 32 a-32 c. The RA's 30 a-30 c, 32 a-32 c arecoupled to the RDF link 29 and are similar to the host adapter 28, butare used to transfer data between the storage devices 24, 26. Thesoftware used in connection with the RA's 30 a-30 c, 32 a-32 c isdiscussed in more detail hereinafter.

The storage devices 24, 26 may include one or more disks, eachcontaining a different portion of data stored on each of the storagedevices 24, 26. FIG. 1 shows the storage device 24 including a pluralityof disks 33 a, 33 b, 33 c and the storage device 26 including aplurality of disks 34 a, 34 b, 34 c. The RDF functionality describedherein may be applied so that the data for at least a portion of thedisks 33 a-33 c of the local storage device 24 is copied, using RDF, toat least a portion of the disks 34 a-34 c of the remote storage device26. It is possible that other data of the storage devices 24, 26 is notcopied between the storage devices 24, 26, and thus is not identical.

Each of the disks 33 a-33 c is coupled to a corresponding disk adapterunit (DA) 35 a, 35 b, 35 c that provides data to a corresponding one ofthe disks 33 a-33 c and receives data from a corresponding one of thedisks 33 a-33 c. Similarly, a plurality of DA's 36 a, 36 b, 36 c of theremote storage device 26 are used to provide data to corresponding onesof the disks 34 a-34 c and receive data from corresponding ones of thedisks 34 a-34 c. An internal data path exists between the DA's 35 a-35c, the HA 28 and the RA's 30 a-30 c of the local storage device 24.Similarly, an internal data path exists between the DA's 36 a-36 c andthe RA's 32 a-32 c of the remote storage device 26. Note that, in otherembodiments, it is possible for more than one disk to be serviced by aDA and that it is possible for more than one DA to service a disk.

The local storage device 24 also includes a global memory 37 that may beused to facilitate data transferred between the DA's 35 a-35 c, the HA28 and the RA's 30 a-30 c. The memory 37 may contain tasks that are tobe performed by one or more of the DA's 35 a-35 c, the HA 28 and theRA's 30 a-30 c, and a cache for data fetched from one or more of thedisks 33 a-33 c. Similarly, the remote storage device 26 includes aglobal memory 38 that may contain tasks that are to be performed by oneor more of the DA's 36 a-36 c and the RA's 32 a-32 c, and a cache fordata fetched from one or more of the disks 34 a-34 c. Use of thememories 37, 38 is described in more detail hereinafter.

The storage space in the local storage device 24 that corresponds to thedisks 33 a-33 c may be subdivided into a plurality of volumes or logicaldevices. The logical devices may or may not correspond to the physicalstorage space of the disks 33 a-33 c. Thus, for example, the disk 33 amay contain a plurality of logical devices or, alternatively, a singlelogical device could span both of the disks 33 a, 33 b. Similarly, thestorage space for the remote storage device 26 that comprises the disks34 a-34 c may be subdivided into a plurality of volumes or logicaldevices, where each of the logical devices may or may not correspond toone or more of the disks 34 a-34 c.

Providing an RDF mapping between portions of the local storage device 24and the remote storage device 26 involves setting up a logical device onthe remote storage device 26 that is a remote mirror for a logicaldevice on the local storage device 24. The host 22 reads and writes datafrom and to the logical device on the local storage device 24 and theRDF mapping causes modified data to be transferred from the localstorage device 24 to the remote storage device 26 using the RA's, 30a-30 c, 32 a-32 c and the RDF link 29. In steady state operation, thelogical device on the remote storage device 26 contains data that isidentical to the data of the logical device on the local storage device24. The logical device on the local storage device 24 that is accessedby the host 22 is referred to as the “R1 volume” (or just “R1”) whilethe logical device on the remote storage device 26 that contains a copyof the data on the R1 volume is called the “R2 volume” (or just “R2”).Thus, the host reads and writes data from and to the R1 volume and RDFhandles automatic copying and updating of the data from the R1 volume tothe R2 volume. The system described herein may be implemented usingsoftware, hardware, and/or a combination of software and hardware wheresoftware may be stored in an appropriate storage medium and executed byone or more processors.

Referring to FIG. 2, a path of data is illustrated from the host 22 tothe local storage device 24 and the remote storage device 26. Datawritten from the host 22 to the local storage device 24 is storedlocally, as illustrated by the data element 51 of the local storagedevice 24. The data that is written by the host 22 to the local storagedevice 24 is also maintained by the local storage device 24 inconnection with being sent by the local storage device 24 to the remotestorage device 26 via the link 29.

In the system described herein, each data write by the host 22 (of, forexample a record, a plurality of records, a track, etc.) is assigned asequence number. The sequence number may be provided in an appropriatedata field associated with the write. In FIG. 2, the writes by the host22 are shown as being assigned sequence number N. All of the writesperformed by the host 22 that are assigned sequence number N arecollected in a single chunk of data 52. The chunk 52 represents aplurality of separate writes by the host 22 that occur at approximatelythe same time.

Generally, the local storage device 24 accumulates chunks of onesequence number while transmitting a previously accumulated chunk(having the previous sequence number) to the remote storage device 26.Thus, while the local storage device 24 is accumulating writes from thehost 22 that are assigned sequence number N, the writes that occurredfor the previous sequence number (N−1) are transmitted by the localstorage device 24 to the remote storage device 26 via the link 29. Achunk 54 represents writes from the host 22 that were assigned thesequence number N−1 that have not been transmitted yet to the remotestorage device 26.

The remote storage device 26 receives the data from the chunk 54corresponding to writes assigned a sequence number N−1 and constructs anew chunk 56 of host writes having sequence number N−1. The data may betransmitted using appropriate RDF protocol that acknowledges data sentacross the link 29. When the remote storage device 26 has received allof the data from the chunk 54, the local storage device 24 sends acommit message to the remote storage device 26 to commit all the dataassigned the N−1 sequence number corresponding to the chunk 56.Generally, once a chunk corresponding to a particular sequence number iscommitted, that chunk may be written to the logical storage device. Thisis illustrated in FIG. 2 with a chunk 58 corresponding to writesassigned sequence number N−2 (i.e., two before the current sequencenumber being used in connection with writes by the host 22 to the localstorage device 26). In FIG. 2, the chunk 58 is shown as being written toa data element 62 representing disk storage for the remote storagedevice 26. Thus, the remote storage device 26 is receiving andaccumulating the chunk 56 corresponding to sequence number N−1 while thechunk 58 corresponding to the previous sequence number (N−2) is beingwritten to disk storage of the remote storage device 26 illustrated bythe data element 62. In some embodiments, the data for the chunk 58 ismarked for write (but not necessarily written immediately), while thedata for the chunk 56 is not.

Thus, in operation, the host 22 writes data to the local storage device24 that is stored locally in the data element 51 and is accumulated inthe chunk 52. Once all of the data for a particular sequence number hasbeen accumulated (described elsewhere herein), the local storage device24 increments the sequence number. Data from the chunk 54 correspondingto one less than the current sequence number is transferred from thelocal storage device 24 to the remote storage device 26 via the link 29.The chunk 58 corresponds to data for a sequence number that wascommitted by the local storage device 24 sending a message to the remotestorage device 26. Data from the chunk 58 is written to disk storage ofthe remote storage device 26.

Note that the writes within a particular one of the chunks 52, 54, 56,58 are not necessarily ordered. However, as described in more detailelsewhere herein, every write for the chunk 58 corresponding to sequencenumber N−2 was begun prior to beginning any of the writes for the chunks54, 56 corresponding to sequence number N−1. In addition, every writefor the chunks 54, 56 corresponding to sequence number N−1 was begunprior to beginning any of the writes for the chunk 52 corresponding tosequence number N. Thus, in the event of a communication failure betweenthe local storage device 24 and the remote storage device 26, the remotestorage device 26 may simply finish writing the last committed chunk ofdata (the chunk 58 in the example of FIG. 2) and can be assured that thestate of the data at the remote storage device 26 is ordered in thesense that the data element 62 contains all of the writes that werebegun prior to a certain point in time and contains no writes that werebegun after that point in time. Thus, R2 always contains a point in timecopy of R1 and it is possible to reestablish a consistent image from theR2 device.

Referring to FIG. 3, a diagram 70 illustrates items used to constructand maintain the chunks 52, 54. A standard logical device 72 containsdata written by the host 22 and corresponds to the data element 51 ofFIG. 2 and the disks 33 a-33 c of FIG. 1. The standard logical device 72contains data written by the host 22 to the local storage device 24.

Two linked lists of pointers 74, 76 are used in connection with thestandard logical device 72. The linked lists 74, 76 correspond to datathat may be stored, for example, in the memory 37 of the local storagedevice 24. The linked list 74 contains a plurality of pointers 81-85,each of which points to a slot of a cache 88 used in connection with thelocal storage device 24. Similarly, the linked list 76 contains aplurality of pointers 91-95, each of which points to a slot of the cache88. In some embodiments, the cache 88 may be provided in the memory 37of the local storage device 24. The cache 88 contains a plurality ofcache slots 102-104 that may be used in connection to writes to thestandard logical device 72 and, at the same time, used in connectionwith the linked lists 74, 76.

Each of the linked lists 74, 76 may be used for one of the chunks ofdata 52, 54 so that, for example, the linked list 74 may correspond tothe chunk of data 52 for sequence number N while the linked list 76 maycorrespond to the chunk of data 54 for sequence number N−1. Thus, whendata is written by the host 22 to the local storage device 24, the datais provided to the cache 88 and, in some cases (described elsewhereherein), an appropriate pointer of the linked list 74 is created. Notethat the data will not be removed from the cache 88 until the data isdestaged to the standard logical device 72 and the data is also nolonger pointed to by one of the pointers 81-85 of the linked list 74, asdescribed elsewhere herein.

In an embodiment herein, one of the linked lists 74, 76 is deemed“active” while the other is deemed “inactive”. Thus, for example, whenthe sequence number N is even, the linked list 74 may be active whilethe linked list 76 is inactive. The active one of the linked lists 74,76 handles writes from the host 22 while the inactive one of the linkedlists 74, 76 corresponds to the data that is being transmitted from thelocal storage device 24 to the remote storage device 26.

While the data that is written by the host 22 is accumulated using theactive one of the linked lists 74, 76 (for the sequence number N), thedata corresponding to the inactive one of the linked lists 74, 76 (forprevious sequence number N−1) is transmitted from the local storagedevice 24 to the remote storage device 26. The RA's 30 a-30 c use thelinked lists 74, 76 to determine the data to transmit from the localstorage device 24 to the remote storage device 26.

Once data corresponding to a particular one of the pointers in one ofthe linked lists 74, 76 has been transmitted to the remote storagedevice 26, the particular one of the pointers may be removed from theappropriate one of the linked lists 74, 76. In addition, the data mayalso be marked for removal from the cache 88 (i.e., the slot may bereturned to a pool of slots for later, unrelated, use) provided that thedata in the slot is not otherwise needed for another purpose (e.g., tobe destaged to the standard logical device 72). A mechanism may be usedto ensure that data is not removed from the cache 88 until all devicesare no longer using the data. Such a mechanism is described, forexample, in U.S. Pat. No. 5,537,568 issued on Jul. 16, 1996 and in U.S.Pat. No. 6,594,742 issued on Jul. 15, 2003, both of which areincorporated by reference herein.

Referring to FIG. 4, a slot 120, like one of the slots 102-104 of thecache 88, includes a header 122 and data 124. The header 122 correspondsto overhead information used by the system to manage the slot 120. Thedata 124 is the corresponding data from the disk that is being(temporarily) stored in the slot 120. Information in the header 122includes pointers back to the disk, time stamp(s), etc.

The header 122 also includes a cache stamp 126 used in connection withthe system described herein. In an embodiment herein, the cache stamp126 is eight bytes. Two of the bytes are a “password” that indicateswhether the slot 120 is being used by the system described herein. Inother embodiments, the password may be one byte while the following byteis used for a pad. As described elsewhere herein, the two bytes of thepassword (or one byte, as the case may be) being equal to a particularvalue indicates that the slot 120 is pointed to by at least one entry ofthe linked lists 74, 76. The password not being equal to the particularvalue indicates that the slot 120 is not pointed to by an entry of thelinked lists 74, 76. Use of the password is described elsewhere herein.

The cache stamp 126 also includes a two byte field indicating thesequence number (e.g., N, N−1, N−2, etc.) of the data 124 of the slot120. As described elsewhere herein, the sequence number field of thecache stamp 126 may be used to facilitate the processing describedherein. The remaining four bytes of the cache stamp 126 may be used fora pointer, as described elsewhere herein. Of course, the two bytes ofthe sequence number and the four bytes of the pointer are only validwhen the password equals the particular value that indicates that theslot 120 is pointed to by at least one entry in one of the lists 74, 76.

Referring to FIG. 5, a flow chart 140 illustrates steps performed by theHA 28 in connection with a host 22 performing a write operation. Ofcourse, when the host 22 performs a write, processing occurs forhandling the write in a normal fashion irrespective of whether the datais part of an R1/R2 RDF group. For example, when the host 22 writes datafor a portion of the disk, the write occurs to a cache slot which iseventually destaged to the disk. The cache slot may either be a newcache slot or may be an already existing cache slot created inconnection with a previous read and/or write operation to the sametrack.

Processing begins at a first step 142 where a slot corresponding to thewrite is locked. In an embodiment herein, each of the slots 102-104 ofthe cache 88 corresponds to a track of data on the standard logicaldevice 72. Locking the slot at the step 142 prevents additionalprocesses from operating on the relevant slot during the processingperformed by the HA 28 corresponding to the steps of the flow chart 140.

Following step 142 is a step 144 where a value for N, the sequencenumber, is set. As discussed elsewhere herein, the value for thesequence number obtained at the step 144 is maintained during the entirewrite operation performed by the HA 28 while the slot is locked. Asdiscussed elsewhere herein, the sequence number is assigned to eachwrite to set the one of the chunks of data 52, 54 to which the writebelongs. Writes performed by the host 22 are assigned the currentsequence number. It is useful that a single write operation maintain thesame sequence number throughout.

Following the step 144 is a test step 146 which determines if thepassword field of the cache slot is valid. As discussed above, thesystem described herein sets the password field to a predetermined valueto indicate that the cache slot is already in one of the linked lists ofpointers 74, 76. If it is determined at the test step 146 that thepassword field is not valid (indicating that the slot is new and that nopointers from the lists 74, 76 point to the slot), then control passesfrom the step 146 to a step 148, where the cache stamp of the new slotis set by setting the password to the predetermined value, setting thesequence number field to N, and setting the pointer field to Null. Inother embodiments, the pointer field may be set to point to the slotitself.

Following the step 148 is a step 152 where a pointer to the new slot isadded to the active one of the pointer lists 74, 76. In an embodimentherein, the lists 74, 76 are circular doubly linked lists, and the newpointer is added to the circular doubly linked list in a conventionalfashion. Of course, other appropriate data structures could be used tomanage the lists 74, 76. Following the step 152 is a step 154 whereflags are set. At the step 154, the RDF_WP flag (RDF write pending flag)is set to indicate that the slot needs to be transmitted to the remotestorage device 26 using RDF. In addition, at the step 154, the IN_CACHEflag is set to indicate that the slot needs to be destaged to thestandard logical device 72. Following the step 154 is a step 156 wherethe data being written by the host 22 and the HA 28 is written to theslot. Following the step 156 is a step 158 where the slot is unlocked.Following step 158, processing is complete.

If it is determined at the test step 146 that the password field of theslot is valid (indicating that the slot is already pointed to by atleast one pointer of the lists 74, 76), then control transfers from thestep 146 to a test step 162, where it is determined whether the sequencenumber field of the slot is equal to the current sequence number, N.Note that there are two valid possibilities for the sequence numberfield of a slot with a valid password. It is possible for the sequencenumber field to be equal to N, the current sequence number. This occurswhen the slot corresponds to a previous write with sequence number N.The other possibility is for the sequence number field to equal N−1.This occurs when the slot corresponds to a previous write with sequencenumber N−1. Any other value for the sequence number field is invalid.Thus, for some embodiments, it may be possible to include error/validitychecking in the step 162 or possibly make error/validity checking aseparate step. Such an error may be handled in any appropriate fashion,which may include providing a message to a user.

If it is determined at the step 162 that the value in the sequencenumber field of the slot equals the current sequence number N, then nospecial processing is required and control transfers from the step 162to the step 156, discussed above, where the data is written to the slot.Otherwise, if the value of the sequence number field is N−1 (the onlyother valid value), then control transfers from the step 162 to a step164 where a new slot is obtained. The new slot obtained at the step 164may be used to store the data being written.

Following the step 164 is a step 166 where the data from the old slot iscopied to the new slot that was obtained at the step 164. Note that thecopied data includes the RDF_WP flag, which should have been set at thestep 154 on a previous write when the slot was first created. Followingthe step 166 is a step 168 where the cache stamp for the new slot is setby setting the password field to the appropriate value, setting thesequence number field to the current sequence number, N, and setting thepointer field to point to the old slot. Following the step 168 is a step172 where a pointer to the new slot is added to the active one of thelinked lists 74, 76. Following the step 172 is the step 156, discussedabove, where the data is written to the slot which, in this case, is thenew slot.

Referring to FIG. 6, a flow chart 200 illustrates steps performed inconnection with the RA's 30 a-30 c scanning the inactive one of thelists 72, 74 to transmit RDF data from the local storage device 24 tothe remote storage device 26. As discussed above, the inactive one ofthe lists 72, 74 points to slots corresponding to the N−1 cycle for theR1 device when the N cycle is being written to the R1 device by the hostusing the active one of the lists 72, 74.

Processing begins at a first step 202 where it is determined if thereare any entries in the inactive one of the lists 72, 74. As data istransmitted, the corresponding entries are removed from the inactive oneof the lists 72, 74. In addition, new writes are provided to the activeone of the lists 72, 74 and not generally to the inactive one of thelists 72, 74. Thus, it is possible (and desirable, as describedelsewhere herein) for the inactive one of the lists 72, 74 to contain nodata at certain times. If it is determined at the step 202 that there isno data to be transmitted, then the inactive one of the lists 72, 74 iscontinuously polled until data becomes available. Data for sendingbecomes available in connection with a cycle switch (discussed elsewhereherein) where the inactive one of the lists 72, 74 becomes the activeone of the lists 72, 74, and vice versa.

If it is determined at the step 202 that there is data available forsending, control transfers from the step 202 to a step 204, where theslot is verified as being correct. The processing performed at the step204 is an optional “sanity check” that may include verifying that thepassword field is correct and verifying that the sequence number fieldis correct. If there is incorrect (unexpected) data in the slot, errorprocessing may be performed, which may include notifying a user of theerror and possibly error recovery processing.

Following the step 204 is a step 212, where the data is sent via RDF ina conventional fashion. In an embodiment herein, the entire slot is nottransmitted. Rather, only records within the slot that have theappropriate mirror bits set (indicating the records have changed) aretransmitted to the remote storage device 26. However, in otherembodiments, it may be possible to transmit the entire slot, providedthat the remote storage device 26 only writes data corresponding torecords having appropriate mirror bits set and ignores other data forthe track, which may or may not be valid. Following the step 212 is atest step 214 where it is determined if the data that was transmittedhas been acknowledged by the R2 device. If not, the data is resent, asindicated by the flow from the step 214 back to the step 212. In otherembodiments, different and more involved processing may used to senddata and acknowledge receipt thereof. Such processing may include errorreporting and alternative processing that is performed after a certainnumber of attempts to send the data have failed.

Once it is determined at the test step 214 that the data has beensuccessfully sent, control passes from the step 214 to a step 216 toclear the RDF_WP flag (since the data has been successfully sent viaRDF). Following the step 216 is a test step 218 where it is determinedif the slot is a duplicate slot created in connection with a write to aslot already having an existing entry in the inactive one of the lists72, 74. This possibility is discussed above in connection with the steps162, 164, 166, 168, 172. If it is determined at the step 218 that theslot is a duplicate slot, then control passes from the step 218 to astep 222 where the slot is returned to the pool of available slots (tobe reused). In addition, the slot may also be aged (or have some otherappropriate mechanism applied thereto) to provide for immediate reuseahead of other slots since the data provided in the slot is not validfor any other purpose. Following the step 222 or the step 218 if theslot is not a duplicate slot is a step 224 where the password field ofthe slot header is cleared so that when the slot is reused, the test atthe step 146 of FIG. 5 properly classifies the slot as a new slot.

Following the step 224 is a step 226 where the entry in the inactive oneof the lists 72, 74 is removed. Following the step 226, controltransfers back to the step 202, discussed above, where it is determinedif there are additional entries on the inactive one of the lists 72, 74corresponding to data needing to be transferred.

Referring to FIG. 7, a diagram 240 illustrates creation and manipulationof the chunks 56, 58 used by the remote storage device 26. Data that isreceived by the remote storage device 26, via the link 29, is providedto a cache 242 of the remote storage device 26. The cache 242 may beprovided, for example, in the memory 38 of the remote storage device 26.The cache 242 includes a plurality of cache slots 244-246, each of whichmay be mapped to a track of a standard logical storage device 252. Thecache 242 is similar to the cache 88 of FIG. 3 and may contain data thatcan be destaged to the standard logical storage device 252 of the remotestorage device 26. The standard logical storage device 252 correspondsto the data element 62 shown in FIG. 2 and the disks 34 a-34 c shown inFIG. 1.

The remote storage device 26 also contains a pair of cache only virtualdevices 254, 256. The cache only virtual devices 254, 256 correspondeddevice tables that may be stored, for example, in the memory 38 of theremote storage device 26. Each track entry of the tables of each of thecache only virtual devices (COVD) 254, 256 point to either a track ofthe standard logical device 252 or point to a slot of the cache 242.Cache only virtual devices are described in U.S. patent applicationtitled CACHE-ONLY VIRTUAL DEVICES, filed on Mar. 25, 2003 and havingSer. No. 10/396,800, which is incorporated by reference herein. Note,however, that the functionality described herein in connection with theCOVD's may be implemented generally using tables having appropriatepointers that may point to cache slots as described herein.

The plurality of cache slots 244-246 may be used in connection to writesto the standard logical device 252 and, at the same time, used inconnection with the cache only virtual devices 254, 256. In anembodiment herein, each of track table entries of the cache only virtualdevices 254, 256 contain a null to indicate that the data for that trackis stored on a corresponding track of the standard logical device 252.Otherwise, an entry in the track table for each of the cache onlyvirtual devices 254, 256 contains a pointer to one of the slots 244-246in the cache 242.

Each of the cache only virtual devices 254, 256 corresponds to one ofthe data chunks 56, 58. Thus, for example, the cache only virtual device254 may correspond to the data chunk 56 while the cache only virtualdevice 256 may correspond to the data chunk 58. In an embodiment herein,one of the cache only virtual devices 254, 256 may be deemed “active”while the other one of the cache only virtual devices 254, 256 may bedeemed “inactive”. The inactive one of the cache only virtual devices254, 256 may correspond to data being received from the local storagedevice 24 (i.e., the chunk 56) while the active one of the cache onlyvirtual device 254, 256 corresponds to data being restored (written) tothe standard logical device 252.

Data from the local storage device 24 that is received via the link 29may be placed in one of the slots 244-246 of the cache 242. Acorresponding pointer of the inactive one of the cache only virtualdevices 254, 256 may be set to point to the received data. Subsequentdata having the same sequence number may be processed in a similarmanner. At some point, the local storage device 24 provides a messagecommitting all of the data sent using the same sequence number. Once thedata for a particular sequence number has been committed, the inactiveone of the cache only virtual devices 254, 256 becomes active and viceversa. At that point, data from the now active one of the cache onlyvirtual devices 254, 256 is copied to the standard logical device 252while the inactive one of the cache only virtual devices 254, 256 isused to receive new data (having a new sequence number) transmitted fromthe local storage device 24 to the remote storage device 26.

As data is removed from the active one of the cache only virtual devices254, 256 (discussed elsewhere herein), the corresponding entry in theactive one of the cache only virtual devices 254, 256 may be set tonull. In addition, the data may also be removed from the cache 244(i.e., the slot returned to the pool of free slots for later use)provided that the data in the slot is not otherwise needed for anotherpurpose (e.g., to be destaged to the standard logical device 252). Amechanism may be used to ensure that data is not removed from the cache242 until all mirrors (including the cache only virtual devices 254,256) are no longer using the data. Such a mechanism is described, forexample, in U.S. Pat. No. 5,537,568 issued on Jul. 16, 1996 and in U.S.Pat. No. 6,594,742 issued on Jul. 15, 2003, both of which areincorporated by reference herein.

In some embodiments discussed elsewhere herein, the remote storagedevice 26 may maintain linked lists 258, 262 like the lists 74, 76 usedby the local storage device 24. The lists 258, 262 may containinformation that identifies the slots of the corresponding cache onlyvirtual devices 254, 256 that have been modified, where one of the lists258, 262 corresponds to one of the cache only virtual devices 254, 256and the other one of the lists 258, 262 corresponds to the other one ofthe cache only virtual devices 254, 256. As discussed elsewhere herein,the lists 258, 262 may be used to facilitate restoring data from thecache only virtual devices 254, 256 to the standard logical device 252.

Referring to FIG. 8, a flow chart 270 illustrates steps performed by theremote storage device 26 in connection with processing data for asequence number commit transmitted by the local storage device 24 to theremote storage device 26. As discussed elsewhere herein, the localstorage device 24 periodically increments sequence numbers. When thisoccurs, the local storage device 24 finishes transmitting all of thedata for the previous sequence number and then sends a commit messagefor the previous sequence number.

Processing begins at a first step 272 where the commit is received.Following the step 272 is a test step 274 which determines if the activeone of the cache only virtual devices 254, 256 of the remote storagedevice 26 is empty. As discussed elsewhere herein, the inactive one ofthe cache only virtual devices 254, 256 of the remote storage device 26is used to accumulate data from the local storage device 24 sent usingRDF while the active one of the cache only virtual devices 254, 256 isrestored to the standard logical device 252.

If it is determined at the test step 274 that the active one of thecache only virtual devices 254, 256 is not empty, then control transfersfrom the test step 274 to a step 276 where the restore for the activeone of the cache only virtual devices 254, 256 is completed prior tofurther processing being performed. Restoring data from the active oneof the cache only virtual devices 254, 256 is described in more detailelsewhere herein. It is useful that the active one of the cache onlyvirtual devices 254, 256 is empty prior to handling the commit andbeginning to restore data for the next sequence number.

Following the step 276 or following the step 274 if the active one ofthe cache only virtual devices 254, 256 is determined to be empty, is astep 278 where the active one of the cache only virtual devices 254, 256is made inactive. Following the step 278 is a step 282 where thepreviously inactive one of the cache only virtual devices 254, 256(i.e., the one that was inactive prior to execution of the step 278) ismade active. Swapping the active and inactive cache only virtual devices254, 256 at the steps 278, 282 prepares the now inactive (and empty) oneof the cache only virtual devices 254, 256 to begin to receive data fromthe local storage device 24 for the next sequence number.

Following the step 282 is a step 284 where the active one of the cacheonly virtual devices 254, 256 is restored to the standard logical device252 of the remote storage device 26. Restoring the active one of thecache only virtual devices 254, 256 to the standard logical device 252is described in more detail hereinafter. However, note that, in someembodiments, the restore process is begun, but not necessarilycompleted, at the step 284. Following the step 284 is a step 286 wherethe commit that was sent from the local storage device 24 to the remotestorage device 26 is acknowledged back to the local storage device 24 sothat the local storage device 24 is informed that the commit wassuccessful. Following the step 286, processing is complete.

Referring to FIG. 9, a flow chart 300 illustrates in more detail thesteps 276, 284 of FIG. 8 where the remote storage device 26 restores theactive one of the cache only virtual devices 254, 256. Processing beginsat a first step 302 where a pointer is set to point to the first slot ofthe active one of the cache only virtual devices 254, 256. The pointeris used to iterate through each track table entry of the active one ofthe cache only virtual devices 254, 256, each of which is processedindividually. Following the step 302 is a test step 304 where it isdetermined if the track of the active one of the cache only virtualdevices 254, 256 that is being processed points to the standard logicaldevice 252. If so, then there is nothing to restore. Otherwise, controltransfers from the step 304 to a step a 306 where the corresponding slotof the active one of the cache only virtual devices 254, 256 is locked.

Following the step 306 is a test step 308 which determines if thecorresponding slot of the standard logical device 252 is already in thecache of the remote storage device 26. If so, then control transfersfrom the test step 308 to a step 312 where the slot of the standardlogical device is locked. Following step 312 is a step 314 where thedata from the active one of the cache only virtual devices 254, 256 ismerged with the data in the cache for the standard logical device 252.Merging the data at the step 314 involves overwriting the data for thestandard logical device with the new data of the active one of the cacheonly virtual devices 254, 256. Note that, in embodiments that providefor record level flags, it may be possible to simply OR the new recordsfrom the active one of the cache only virtual devices 254, 256 to therecords of the standard logical device 252 in the cache. That is, if therecords are interleaved, then it is only necessary to use the recordsfrom the active one of the cache only virtual devices 254, 256 that havechanged and provide the records to the cache slot of the standardlogical device 252. Following step 314 is a step 316 where the slot ofthe standard logical device 252 is unlocked. Following step 316 is astep 318 where the slot of the active one of the cache only virtualdevices 254, 256 that is being processed is also unlocked.

If it is determined at the test step 308 that the corresponding slot ofthe standard logical device 252 is not in cache, then control transfersfrom the test step 308 to a step 322 where the track entry for the slotof the standard logical device 252 is changed to indicate that the slotof the standard logical device 252 is in cache (e.g., an IN_CACHE flagmay be set) and needs to be destaged. As discussed elsewhere herein, insome embodiments, only records of the track having appropriate mirrorbits set may need to be destaged. Following the step 322 is a step 324where a flag for the track may be set to indicate that the data for thetrack is in the cache.

Following the step 324 is a step 326 where the slot pointer for thestandard logical device 252 is changed to point to the slot in thecache. Following the step 326 is a test step 328 which determines if theoperations performed at the steps 322, 324, 326 have been successful. Insome instances, a single operation called a “compare and swap” operationmay be used to perform the steps 322, 324, 326. If these operations arenot successful for any reason, then control transfers from the step 328back to the step 308 to reexamine if the corresponding track of thestandard logical device 252 is in the cache. Otherwise, if it isdetermined at the test step 328 that the previous operations have beensuccessful, then control transfers from the test step 328 to the step318, discussed above.

Following the step 318 is a test step 332 which determines if the cacheslot of the active one of the cache only virtual devices 254, 256 (whichis being restored) is still being used. In some cases, it is possiblethat the slot for the active one of the cache only virtual devices 254,256 is still being used by another mirror. If it is determined at thetest step 332 that the slot of the cache only virtual device is notbeing used by another mirror, then control transfers from the test step332 to a step 334 where the slot is released for use by other processes(e.g., restored to pool of available slots, as discussed elsewhereherein). Following the step 334 is a step 336 to point to the next slotto process the next slot of the active one of the cache only virtualdevices 254, 256. Note that the step 336 is also reached from the teststep 332 if it is determined at the step 332 that the active one of thecache only virtual devices 254, 256 is still being used by anothermirror. Note also that the step 336 is reached from the test step 304 ifit is determined at the step 304 that, for the slot being processed, theactive one of the cache only virtual devices 254, 256 points to thestandard logical device 252. Following the step 336 is a test step 338which determines if there are more slots of the active one of the cacheonly virtual devices 254, 256 to be processed. If not, processing iscomplete. Otherwise, control transfers from the test step 338 back tothe step 304.

In another embodiment, it is possible to construct lists of modifiedslots for the received chunk of data 56 corresponding to the N−1 cycleon the remote storage device 26, such as the lists 258, 262 shown inFIG. 7. As the data is received, the remote storage device 26 constructsa linked list of modified slots. The lists that are constructed may becircular, linear (with a NULL termination), or any other appropriatedesign. The lists may then be used to restore the active one of thecache only virtual devices 254, 256.

The flow chart 300 of FIG. 9 shows two alternative paths 342, 344 thatillustrate operation of embodiments where a list of modified slots isused. At the step 302, a pointer (used for iterating through the list ofmodified slots) is made to point to the first element of the list.Following the step 302 is the step 306, which is reached by thealternative path 342. In embodiments that use lists of modified slots,the test step 304 is not needed since no slots on the list should pointto the standard logical device 252.

Following the step 306, processing continues as discussed above with theprevious embodiment, except that the step 336 refers to traversing thelist of modified slots rather than pointing to the next slot in theCOVD. Similarly, the test at the step 338 determines if the pointer isat the end of the list (or back to the beginning in the case of acircular linked list). Also, if it is determined at the step 338 thatthere are more slots to process, then control transfers from the step338 to the step 306, as illustrated by the alternative path 344. Asdiscussed above, for embodiments that use a list of modified slots, thestep 304 may be eliminated.

Referring to FIG. 10, a flow chart 350 illustrates steps performed inconnection with the local storage device 24 increasing the sequencenumber. Processing begins at a first step 352 where the local storagedevice 24 waits at least M seconds prior to increasing the sequencenumber. In an embodiment herein, M is thirty, but of course M could beany number. Larger values for M increase the amount of data that may be,lost if communication between the storage devices 24, 26 is disrupted.However, smaller values for M increase the total amount of overheadcaused by incrementing the sequence number more frequently.

Following the step 352 is a test step 354 which determines if all of theHA's of the local storage device 24 have set a bit indicating that theHA's have completed all of the I/O's for a previous sequence number.When the sequence number changes, each of the HA's notices the changeand sets a bit indicating that all I/O's of the previous sequence numberare completed. For example, if the sequence number changes from N−1 toN, an HA will set the bit when the HA has completed all I/O's forsequence number N−1. Note that, in some instances, a single I/O for anHA may take a long time and may still be in progress even after thesequence number has changed. Note also that, for some systems, adifferent mechanism may be used to determine if all of the HA's havecompleted their N−1 I/O's. The different mechanism may include examiningdevice tables in the memory 37.

If it is determined at the test step 354 that I/O's from the previoussequence number have been completed, then control transfers from thestep 354 to a test step 356 which determines if the inactive one of thelists 74, 76 is empty. Note that a sequence number switch may not bemade unless and until all of the data corresponding to the inactive oneof the lists 74, 76 has been completely transmitted from the localstorage device 24 to the remote storage device 26 using the RDFprotocol. Once the inactive one of the lists 74, 76 is determined to beempty, then control transfers from the step 356 to a step 358 where thecommit for the previous sequence number is sent from the local storagedevice 24 to the remote storage device 26. As discussed above, theremote storage device 26 receiving a commit message for a particularsequence number will cause the remote storage device 26 to beginrestoring the data corresponding to the sequence number.

Following the step 358 is a step 362 where the copying of data for theinactive one of the lists 74, 76 is suspended. As discussed elsewhereherein, the inactive one of the lists is scanned to send correspondingdata from the local storage device 24 to the remote storage device 26.It is useful to suspend copying data until the sequence number switch iscompleted. In an embodiment herein, the suspension is provided bysending a message to the RA's 30 a-30 c. However, it will be appreciatedby one of ordinary skill in the art that for embodiments that use othercomponents to facilitate sending data using the system described herein,suspending copying may be provided by sending appropriatemessages/commands to the other components.

Following step 362 is a step 364 where the sequence number isincremented. Following step 364 is a step 366 where the bits for theHA's that are used in the test step 354 are all cleared so that the bitsmay be set again in connection with the increment of the sequencenumber. Following step 366 is a test step 372 which determines if theremote storage device 26 has acknowledged the commit message sent at thestep 358. Acknowledging the commit message is discussed above inconnection with FIG. 8. Once it is determined that the remote storagedevice 26 has acknowledged the commit message sent at the step 358,control transfers from the step 372 to a step 374 where the suspensionof copying, which was provided at the step 362, is cleared so thatcopying may resume. Following step 374, processing is complete. Notethat it is possible to go from the step 374 back to the step 352 tobegin a new cycle to continuously increment the sequence number.

It is also possible to use COVD's on the R1 device to collect slotsassociated with active data and inactive chunks of data. In that case,just as with the R2 device, one COVD could be associated with theinactive sequence number and another COVD could be associated with theactive sequence number. This is described below.

Referring to FIG. 11, a diagram 400 illustrates items used to constructand maintain the chunks 52, 54. A standard logical device 402 containsdata written by the host 22 and corresponds to the data element 51 ofFIG. 2 and the disks 33 a-33 c of FIG. 1. The standard logical device402 contains data written by the host 22 to the local storage device 24.

Two cache only virtual devices 404, 406 are used in connection with thestandard logical device 402. The cache only virtual devices 404, 406corresponded device tables that may be stored, for example, in thememory 37 of the local storage device 24. Each track entry of the tablesof each of the cache only virtual devices 404, 406 point to either atrack of the standard logical device 402 or point to a slot of a cache408 used in connection with the local storage device 24. In someembodiments, the cache 408 may be provided in the memory 37 of the localstorage device 24.

The cache 408 contains a plurality of cache slots 412-414 that may beused in connection to writes to the standard logical device 402 and, atthe same time, used in connection with the cache only virtual devices404, 406. In an embodiment herein, each track table entry of the cacheonly virtual devices 404, 406 contains a null to point to acorresponding track of the standard logical device 402. Otherwise, anentry in the track table for each of the cache only virtual devices 404,406 contains a pointer to one of the slots 412-414 in the cache 408.

Each of the cache only virtual devices 404, 406 may be used for one ofthe chunks of data 52, 54 so that, for example, the cache only virtualdevice 404 may correspond to the chunk of data 52 for sequence number Nwhile the cache only virtual device 406 may correspond to the chunk ofdata 54 for sequence number N−1. Thus, when data is written by the host22 to the local storage device 24, the data is provided to the cache 408and an appropriate pointer of the cache only virtual device 404 isadjusted. Note that the data will not be removed from the cache 408until the data is destaged to the standard logical device 402 and thedata is also released by the cache only virtual device 404, as describedelsewhere herein.

In an embodiment herein, one of the cache only virtual devices 404, 406is deemed “active” while the other is deemed “inactive”. Thus, forexample, when the sequence number N is even, the cache only virtualdevice 404 may be active while the cache only virtual device 406 isinactive. The active one of the cache only virtual devices 404, 406handles writes from the host 22 while the inactive one of the cache onlyvirtual devices 404, 406 corresponds to the data that is beingtransmitted from the local storage device 24 to the remote storagedevice 26.

While the data that is written by the host 22 is accumulated using theactive one of the cache only virtual devices 404, 406 (for the sequencenumber N), the data corresponding to the inactive one of the cache onlyvirtual devices 404, 406 (for previous sequence number N−1) istransmitted from the local storage device 24 to the remote storagedevice 26. For this and related embodiments, the DA's 35 a-35 c of thelocal storage device handle scanning the inactive one of the cache onlyvirtual devices 404, 406 to send copy requests to one or more of theRA's 30 a-30 c to transmit the data from the local storage device 24 tothe remote storage device 26. Thus, the steps 362, 374, discussed abovein connection with suspending and resuming copying, may includeproviding messages/commands to the DA's 35 a-35 c.

Once the data has been transmitted to the remote storage device 26, thecorresponding entry in the inactive one of the cache only virtualdevices 404, 406 may be set to null. In addition, the data may also beremoved from the cache 408 (i.e., the slot returned to the pool of slotsfor later use) if the data in the slot is not otherwise needed foranother purpose (e.g., to be destaged to the standard logical device402). A mechanism may be used to ensure that data is not removed fromthe cache 408 until all mirrors (including the cache only virtualdevices 404, 406) are no longer using the data. Such a mechanism isdescribed, for example, in U.S. Pat. No. 5,537,568 issued on Jul. 16,1996 and in U.S. Pat. No. 6,594,742 issued on Jul. 15, 2003, both ofwhich are incorporated by reference herein.

Referring to FIG. 12, a flow chart 440 illustrates steps performed bythe HA 28 in connection with a host 22 performing a write operation forembodiments where two COVD's are used by the R1 device to provide thesystem described herein. Processing begins at a first step 442 where aslot corresponding to the write is locked. In an embodiment herein, eachof the slots 412-414 of the cache 408 corresponds to a track of data onthe standard logical device 402. Locking the slot at the step 442prevents additional processes from operating on the relevant slot duringthe processing performed by the HA 28 corresponding to the steps of theflow chart 440.

Following the step 442 is a step 444 where a value for N, the sequencenumber, is set. Just as with the embodiment that uses lists rather thanCOVD's on the R1 side, the value for the sequence number obtained at thestep 444 is maintained during the entire write operation performed bythe HA 28 while the slot is locked. As discussed elsewhere herein, thesequence number is assigned to each write to set the one of the chunksof data 52, 54 to which the write belongs. Writes performed by the host22 are assigned the current sequence number. It is useful that a singlewrite operation maintain the same sequence number throughout.

Following the step 444 is a test step 446, which determines if theinactive one of the cache only virtual devices 404, 406 already pointsto the slot that was locked at the step 442 (the slot being operatedupon). This may occur if a write to the same slot was provided when thesequence number was one less than the current sequence number. The datacorresponding to the write for the previous sequence number may not yethave been transmitted to the remote storage device 26.

If it is determined at the test step 446 that the inactive one of thecache only virtual devices 404, 406 does not point to the slot, thencontrol transfers from the test step 446 to another test step 448, whereit is determined if the active one of the cache only virtual devices404, 406 points to the slot. It is possible for the active one of thecache only virtual devices 404, 406 to point to the slot if there hadbeen a previous write to the slot while the sequence number was the sameas the current sequence number. If it is determined at the test step 448that the active one of the cache only virtual devices 404, 406 does notpoint to the slot, then control transfers from the test step 448 to astep 452 where a new slot is obtained for the data. Following the step452 is a step 454 where the active one of the cache only virtual devices404, 406 is made to point to the slot.

Following the step 454, or following the step 448 if the active one ofthe cache only virtual devices 404, 406 points to the slot, is a step456 where flags are set. At the step 456, the RDF_WP) flag (RDF writepending flag) is set to indicate that the slot needs to be transmittedto the remote storage device 26 using RDF. In addition, at the step 456,the IN_CACHE flag is set to indicate that the slot needs to be destagedto the standard logical device 402. Note that, in some instances, if theactive one of the cache only virtual devices 404, 406 already points tothe slot (as determined at the step 448) it is possible that the RDF_WPand IN_CACHE flags were already set prior to execution of the step 456.However, setting the flags at the step 456 ensures that the flags areset properly no matter what the previous state.

Following the step 456 is a step 458 where an indirect flag in the tracktable that points to the slot is cleared, indicating that the relevantdata is provided in the slot and not in a different slot indirectlypointed to. Following the step 458 is a step 462 where the data beingwritten by the host 22 and the HA 28 is written to the slot. Followingthe step 462 is a step 464 where the slot is unlocked. Following step464, processing is complete.

If it is determined at the test step 446 that the inactive one of thecache only virtual devices 404, 406 points to the slot, then controltransfers from the step 446 to a step 472, where a new slot is obtained.The new slot obtained at the step 472 may be used for the inactive oneof the cache only virtual devices 404, 406 to effect the RDF transferwhile the old slot may be associated with the active one of the cacheonly virtual devices 404, 406, as described below.

Following the step 472 is a step 474 where the data from the old slot iscopied to the new slot that was obtained at the step 472. Following thestep 474 is a step 476 where the indirect flag (discussed above) is setto indicate that the track table entry for the inactive one of the cacheonly virtual devices 404, 406 points to the old slot but that the datais in the new slot which is pointed to by the old slot. Thus, settingindirect flag at the step 476 affects the track table of the inactiveone of the cache only virtual devices 404, 406 to cause the track tableentry to indicate that the data is in the new slot.

Following the step 476 is a step 478 where the mirror bits for therecords in the new slot are adjusted. Any local mirror bits that werecopied when the data was copied from the old slot to the new slot at thestep 474 are cleared since the purpose of the new slot is to simplyeffect the RDF transfer for the inactive one of the cache only virtualdevices. The old slot will be used to handle any local mirrors.Following the step 478 is the step 462 where the data is written to theslot. Following step 462 is the step 464 where the slot is unlocked.Following the step 464, processing is complete.

Referring to FIG. 13, a flow chart 500 illustrates steps performed inconnection with the local storage device 24 transmitting the chunk ofdata 54 to the remote storage device 26. The transmission essentiallyinvolves scanning the inactive one of the cache only virtual devices404, 406 for tracks that have been written thereto during a previousiteration when the inactive one of the cache only virtual devices 404,406 was active. In this embodiment, the DA's 35 a-35 c of the localstorage device 24 scan the inactive one of the cache only virtualdevices 404, 406 to copy the data for transmission to the remote storagedevice 26 by one or more of the RA's 30 a-30 c using the RDF protocol.

Processing begins at a first step 502 where the first track of theinactive one of the cache only virtual devices 404, 406 is pointed to inorder to begin the process of iterating through all of the tracks.Following the first step 502 is a test step 504 where it is determinedif the RDF_WP) flag is set. As discussed elsewhere herein, the RDF_WPflag is used to indicate that a slot (track) contains data that needs tobe transmitted via the RDF link. The RDF_WP flag being set indicatesthat at least some data for the slot (track) is to be transmitted usingRDF. In an embodiment herein, the entire slot is not transmitted.Rather, only records within the slot that have the appropriate mirrorbits set (indicating the records have changed) are transmitted to theremote storage device 26. However, in other embodiments, it may bepossible to transmit the entire slot, provided that the remote storagedevice 26 only writes data corresponding to records having appropriatemirror bits set and ignores other data for the track, which may or maynot be valid.

If it is determined at the test step 504 that the cache slot beingprocessed has the RDF_WP flag set, then control transfers from the step504 to a test step 505, where it is determined if the slot contains thedata or if the slot is an indirect slot that points to another slot thatcontains the relevant data. In some instances, a slot may not containthe data for the portion of the disk that corresponds to the slot.Instead, the slot may be an indirect slot that points to another slotthat contains the data. If it is determined at the step 505 that theslot is an indirect slot, then control transfers from the step 505 to astep 506, where the data (from the slot pointed to by the indirect slot)is obtained. Thus, if the slot is a direct slot, the data for being sentby RDF is stored in the slot while if the slot is an indirect slot, thedata for being sent by RDF is in another slot pointed to by the indirectslot.

Following the step 506 or the step 505 if the slot is a direct slot is astep 507 where data being sent (directly or indirectly from the slot) iscopied by one of the DA's 35 a-35 c to be sent from the local storagedevice 24 to the remote storage device 26 using the RDF protocol.Following the step 507 is a test step 508 where it is determined if theremote storage device 26 has acknowledged receipt of the data. If not,then control transfers from the step 508 back to the step 507 to resendthe data. In other embodiments, different and more involved processingmay used to send data and acknowledge receipt thereof. Such processingmay include error reporting and alternative processing that is performedafter a certain number of attempts to send the data have failed.

Once it is determined at the test step 508 that the data has beensuccessfully sent, control passes from the step 508 to a step 512 toclear the RDF_WP flag (since the data has been successfully sent viaRDF). Following the step 512 is a step 514 where appropriate mirrorflags are cleared to indicate that at least the RDF mirror (R2) nolonger needs the data. In an embodiment herein, each record that is partof a slot (track) has individual mirror flags indicating which mirrorsuse the particular record. The R2 device is one of the mirrors for eachof the records and it is the flags corresponding to the R2 device thatare cleared at the step 514.

Following the step 514 is a test step 516 which determines if any of therecords of the track being processed have any other mirror flags set(for other mirror devices). If not, then control passes from the step516 to a step 518 where the slot is released (i.e., no longer beingused). In some embodiments, unused slots are maintained in a pool ofslots available for use. Note that if additional flags are still set forsome of the records of the slot, it may mean that the records need to bedestaged to the standard logical device 402 or are being used by someother mirror (including another R2 device). Following the step 518, orfollowing the step 516 if more mirror flags are present, is a step 522where the pointer that is used to iterate through each track entry ofthe inactive one of the cache only virtual devices 404, 406 is made topoint to the next track. Following the step 522 is a test step 524 whichdetermines if there are more tracks of the inactive one of the cacheonly virtual devices 404, 406 to be processed. If not, then processingis complete. Otherwise, control transfers back to the test step 504,discussed above. Note that the step 522 is also reached from the teststep 504 if it is determined that the RDF_WP flag is not set for thetrack being processed.

Referring to FIG. 14, a diagram 700 illustrates a host 702 coupled to aplurality of local storage devices 703-705. The diagram 700 also shows aplurality of remote storage devices 706-708. Although only three localstorage devices 703-705 and three remote storage devices 706-708 areshown in the diagram 700, the system described herein may be expanded touse any number of local and remote storage devices.

Each of the local storage devices 703-705 is coupled to a correspondingone of the remote storage devices 706-708 so that, for example, thelocal storage device 703 is coupled to the remote storage device 706,the local storage device 704 is coupled to the remote storage device 707and the local storage device 705 is coupled to the remote storage device708. The local storage device is 703-705 and remote storage device is706-708 may be coupled using the ordered writes mechanism describedherein so that, for example, the local storage device 703 may be coupledto the remote storage device 706 using the ordered writes mechanism. Asdiscussed elsewhere herein, the ordered writes mechanism allows datarecovery using the remote storage device in instances where the localstorage device and/or host stops working and/or loses data.

In some instances, the host 702 may run a single application thatsimultaneously uses more than one of the local storage devices 703-705.In such a case, the application may be configured to insure thatapplication data is consistent (recoverable) at the local storagedevices 703-705 if the host 702 were to cease working at any time and/orif one of the local storage devices 703-705 were to fail. However, sinceeach of the ordered write connections between the local storage devices703-705 and the remote storage devices 706-708 is asynchronous from theother connections, then there is no assurance that data for theapplication will be consistent (and thus recoverable) at the remotestorage devices 706-708. That is, for example, even though the dataconnection between the local storage device 703 and the remote storagedevice 706 (a first local/remote pair) is consistent and the dataconnection between the local storage device 704 and the remote storagedevice 707 (a second local/remote pair) is consistent, it is notnecessarily the case that the data on the remote storage devices 706,707 is always consistent if there is no synchronization between thefirst and second local/remote pairs.

For applications on the host 702 that simultaneously use a plurality oflocal storage devices 703-705, it is desirable to have the data beconsistent and recoverable at the remote storage devices 706-708. Thismay be provided by a mechanism whereby the host 702 controls cycleswitching at each of the local storage devices 703-705 so that the datafrom the application running on the host 702 is consistent andrecoverable at the remote storage devices 706-708. This functionality isprovided by a special application that runs on the host 702 thatswitches a plurality of the local storage devices 703-705 into multi-boxmode, as described in more detail below.

Referring to FIG. 15, a table 730 has a plurality of entries 732-734.Each of the entries 732-734 correspond to a single local/remote pair ofstorage devices so that, for example, the entry 732 may correspond topair of the local storage device 703 and the remote storage device 706,the entry 733 may correspond to pair of the local storage device 704 andthe remote storage device 707 and the entry 734 may correspond to thepair of local storage device 705 and the remote storage device 708. Eachof the entries 732-734 has a plurality of fields where a first field 736a-736 c represents a serial number of the corresponding local storagedevice, a second field 738 a-738 c represents a session number used bythe multi-box group, a third field 742 a-742 c represents the serialnumber of the corresponding remote storage device of the local/remotepair, and a fourth field 744 a-744 c represents the session number forthe multi-box group. The table 730 is constructed and maintained by thehost 702 in connection with operating in multi-box mode. In addition,the table 730 is propagated to each of the local storage devices and theremote storage devices that are part of the multi-box group. The table730 may be used to facilitate recovery, as discussed in more detailbelow.

Different local/remote pairs may enter and exit multi-box modeindependently in any sequence and at any time. The host 702 managesentry and exit of local storage device/remote storage device pairs intoand out of multi-box mode. This is described in more detail below.

Referring to FIG. 16, a flowchart 750 illustrates steps performed by thehost 702 in connection with entry or exit of a local/remote pair in toor out of multi-box mode. Processing begins at a first step 752 wheremulti-box mode operation is temporarily suspended. Temporarilysuspending multi-box operation at the step 752 is useful to facilitatethe changes that are made in connection with entry or exit of aremote/local pair in to or out of multi-box mode. Following the step752, is a step 754 where a table like the table 730 of FIG. 15 ismodified to either add or delete an entry, as appropriate. Following thestep 754 is a step 756 where the modified table is propagated to thelocal storage devices and remote storage devices of the multi-box group.Propagating the table at the step 756 facilitates recovery, as discussedin more detail elsewhere herein.

Following the step 756 is a step 758 where a message is sent to theaffected local storage device to provide the change. The local storagedevice may configure itself to run in multi-box mode or not, asdescribed in more detail elsewhere herein. As discussed in more detailbelow, a local storage device handling ordered writes operatesdifferently depending upon whether it is operating as part of amulti-box group or not. If the local storage device is being added to amulti-box group, the message sent at the step 758 indicates to the localstorage device that it is being added to a multi-box group so that thelocal storage device should configure itself to run in multi-box mode.Alternatively, if a local storage device is being removed from amulti-box group, the message sent at the step 758 indicates to the localstorage device that it is being removed from the multi-box group so thatthe local storage device should configure itself to not run in multi-boxmode.

Following step 758 is a test step 762 where it is determined if alocal/remote pair is being added to the multi-box group (as opposed tobeing removed). If so, then control transfers from the test step 762 toa step 764 where tag values are sent to the local storage device that isbeing added. The tag values are provided with the data transmitted fromthe local storage device to the remote storage device in a mannersimilar to providing the sequence numbers with the data. The tag valuesare controlled by the host and set so that all of the local/remote pairssend data having the same tag value during the same cycle. Use of thetag values is discussed in more detail below. Following the step 764, orfollowing the step 762 if a new local/remote pair is not being added, isa step 766 where multi-box operation is resumed. Following the step 766,processing is complete.

Referring to FIG. 17, a flow chart 780 illustrates steps performed inconnection with the host managing cycle switching for multiplelocal/remote pairs running as a group in multi-box mode. As discussedelsewhere herein, multi-box mode involves having the host synchronizecycle switches for more than one remote/local pair to maintain dataconsistency among the remote storage devices. Cycle switching iscoordinated by the host rather than being generated internally by thelocal storage devices. This is discussed in more detail below.

Processing for the flow chart 780 begins at a test step 782 whichdetermines if M seconds have passed. Just as with non-multi-boxoperation, cycle switches occur no sooner than every M seconds where Mis a number chosen to optimize various performance parameters. As thenumber M is increased, the amount of overhead associated with switchingdecreases. However, increasing M also causes the amount of data that maybe potentially lost in connection with a failure to also increase. In anembodiment herein, M is chosen to be thirty seconds, although, obviouslyother values for M may be used.

If it is determined at the test step 782 that M seconds have not passed,then control transfers back to the step 782 to continue waiting until Mseconds have passed.

Once it is determined at the test step 782 that M seconds have passed,control transfers from the step 782 to a step 784 where the host queriesall of the local storage devices in the multi-box group to determine ifall of the local/remote pairs are ready to switch. The local/remotepairs being ready to switch is discussed in more detail hereinafter.

Following the step 784 is a test step 786 which determines if all of thelocal/remote pairs are ready to switch. If not, control transfers backto the step 784 to resume the query. In an embodiment herein, it is onlynecessary to query local/remote pairs that were previously not ready toswitch since, once a local/remote pair is ready to switch, the pairremains so until the switch occurs.

Once it is determined at the test step 786 that all of the local/remotepairs in the multi-box group are ready to switch, control transfers fromthe step 786 to a step 788 where an index variable, N, is set equal toone. The index variable N is used to iterate through all thelocal/remote pairs (i.e., all of the entries 732-734 of the table 730 ofFIG. 15). Following the step 788 is a test step 792 which determines ifthe index variable, N, is greater than the number of local/remote pairsin the multi-box group. If not, then control transfers from the step 792to a step 794 where an open window is performed for the Nth localstorage device of the Nth pair by the host sending a command (e.g., anappropriate system command) to the Nth local storage device. Opening thewindow for the Nth local storage device at the step 794 causes the Nthlocal storage device to suspend writes so that any write by a host thatis not begun prior to opening the window at the step 794 will not becompleted until the window is closed (described below). Not completing awrite operation prevents a second dependant write from occurring priorto completion of the cycle switch. Any writes in progress that werebegun before opening the window may complete prior to the window beingclosed.

Following the step 794 is a step 796 where a cycle switch is performedfor the Nth local storage device. Performing the cycle switch at thestep 796 involves sending a command from the host 702 to the Nth localstorage device. Processing the command from the host by the Nth localstorage device is discussed in more detail below. Part of the processingperformed at the step 796 may include having the host provide new valuesfor the tags that are assigned to the data. The tags are discussed inmore detail elsewhere herein. In an alternative embodiment, theoperations performed at the steps 794, 796 may be performed as a singleintegrated step 797, which is illustrated by the box drawn around thesteps 794, 796.

Following the step 796 is a step 798 where the index variable, N, isincremented. Following step 798, control transfers back to the test step792 to determine if the index variable, N, is greater than the number oflocal/remote pairs.

If it is determined at the test step 792 that the index variable, N, isgreater than the number of local/remote pairs, then control transfersfrom the test step 792 to a step 802 where the index variable, N, is setequal to one. Following the step 802 is a test step 804 which determinesif the index variable, N, is greater than the number of local/remotepairs. If not, then control transfers from the step 804 to a step 806where the window for the Nth local storage device is closed. Closing thewindow of the step 806 is performed by the host sending a command to theNth local storage device to cause the Nth local storage device to resumewrite operations. Thus, any writes in process that were suspended byopening the window at the step 794 may now be completed after executionof the step 806. Following the step 806, control transfers to a step 808where the index variable, N, is incremented. Following the step 808,control transfers back to the test step 804 to determine if the indexvariable, N, is greater than the number of local/remote pairs. If so,then control transfers from the test step 804 back to the step 782 tobegin processing for the next cycle switch.

Referring to FIG. 18, a flow chart 830 illustrates steps performed by alocal storage device in connection with cycle switching. The flow chart830 of FIG. 18 replaces the flow chart 350 of FIG. 10 in instances wherethe local storage device supports both multi-box mode and non-multi-boxmode. That is, the flow chart 830 shows steps performed like those ofthe flow chart 350 of FIG. 10 to support non-multi-box mode and, inaddition, includes steps for supporting multi-box mode.

Processing begins at a first test step 832 which determines if the localstorage device is operating in multi-box mode. Note that the flow chart750 of FIG. 16 shows the step 758 where the host sends a message to thelocal storage device. The message sent at the step 758 indicates to thelocal storage device whether the local storage device is in multi-boxmode or not. Upon receipt of the message sent by the host at the step758, the local storage device sets an internal variable to indicatewhether the local storage device is operating in multi-box mode or not.The internal variable may be examined at the test step 832.

If it is determined at the test step 832 that the local storage deviceis not in multi-box mode, then control transfers from the test step 832to a step 834 to wait M seconds for the cycle switch. If the localstorage device is not operating in multi-box mode, then the localstorage device controls its own cycle switching and thus executes thestep 834 to wait M seconds before initiating the next cycle switch.

Following the step 834, or following the step 832 if the local storagedevice is in multi-box mode, is a test step 836 which determines if allof the HA's of the local storage device have set a bit indicating thatthe HA's have completed all of the I/O's for a previous sequence number.When the sequence number changes, each of the HA's notices the changeand sets a bit indicating that all I/O's of the previous sequence numberare completed. For example, if the sequence number changes from N−1 toN, an HA will set the bit when the HA has completed all I/O's forsequence number N−1. Note that, in some instances, a single I/O for anHA may take a long time and may still be in progress even after thesequence number has changed. Note also that, for some systems, adifferent mechanism may be used to determine if all HA's have completedtheir N−1 I/O's. The different mechanism may include examining devicetables. Once it is determined at the test step 836 that all HA's haveset the appropriate bit, control transfers from the test step 836 to astep 888 which determines if the inactive chunk for the local storagedevice is empty. Once it is determined at the test step 888 that theinactive chunk is empty, control transfers from the step 888 to a step899, where copying of data from the local storage device to the remotestorage device is suspended. It is useful to suspend copying data untilthe sequence number switch is complete.

Following the step 899 is a test step 892 to determine if the localstorage device is in multi-box mode. If it is determined at the teststep 892 that the local storage device is in multi-box mode, thencontrol transfers from the test step 892 to a test step 894 to determineif the active chunk of the corresponding remote storage device is empty.As discussed in more detail below, the remote storage device sends amessage to the local storage device once it has emptied its activechunk. In response to the message, the local storage device sets aninternal variable that is examined at the test step 894.

Once it is determined at the test step 894 that the active chunk of theremote storage device is empty, control transfers from the test step 894to a step 896 where an internal variable is set on a local storagedevice indicating that the local storage device is ready to switchcycles. As discussed above in connection with the flow chart 780 of FIG.17, the host queries each of the local storage devices to determine ifeach of the local storage devices are ready to switch. In response tothe query provided by the host, the local storage device examines theinternal variable set at the step 896 and returns the result to thehost.

Following step 896 is a test step 898 where the local storage devicewaits to receive the command from the host to perform the cycle switch.As discussed above in connection with the flow chart 780 of FIG. 17, thehost provides a command to switch cycles to the local storage devicewhen the local storage device is operating in multi-box mode. Thus, thelocal storage device waits for the command at the step 898, which isonly reached when the local storage device is operating in multi-boxmode.

Once the local storage device has received the switch command from thehost, control transfers from the step 898 to a step 902 to send a commitmessage to the remote storage device. Note that the step 902 is alsoreached from the test step 892 if it is determined at the step test 892that the local storage device is not in multi-box mode. At the step 902,the local storage device sends a commit message to the remote storagedevice. In response to receiving a commit message for a particularsequence number, the remote storage device will begin restoring the datacorresponding to the sequence number, as discussed above.

Following the step 902 is a step 906 where the sequence number isincremented and a new value for the tag (from the host) is stored. Thesequence number is as discussed above. The tag is the tag provided tothe local storage device at the step 764 and at the step 796, asdiscussed above. The tag is used to facilitate data recovery, asdiscussed elsewhere herein.

Following the step 906 is a step 907 where completion of the cycleswitch is confirmed from the local storage device to the host by sendinga message from the local storage device to the host. In someembodiments, it is possible to condition performing the step 907 onwhether the local storage device is in multi-box mode or not, since, ifthe local storage device is not in multi-box mode, the host is notnecessarily interested in when cycle switches occur.

Following the step 907 is a step 908 where the bits for the HA's thatare used in the test step 836 are all cleared so that the bits may beset again in connection with the increment of the sequence number.Following the step 908 is a test step 912 which determines if the remotestorage device has acknowledged the commit message. Note that if thelocal/remote pair is operating in multi-box mode and the remote storagedevice active chunk was determined to be empty at the step 894, then theremote storage device should acknowledge the commit message nearlyimmediately since the remote storage device will be ready for the cycleswitch immediately because the active chunk thereof is already empty.

Once it is determined at the test step 912 that the commit message hasbeen acknowledged by the remote storage device, control transfers fromthe step 912 to a step 914 where the suspension of copying, which wasprovided at the step 899, is cleared so that copying from the localstorage device to the remote storage device may resume. Following thestep 914, processing is complete.

Referring to FIG. 19, a flow chart 940 illustrates steps performed inconnection with RA's scanning the inactive buffers to transmit RDF datafrom the local storage device to the remote storage device. The flowchart 940 of FIG. 19 is similar to the flow chart 200 of FIG. 6 andsimilar steps are given the same reference number. However, the flowchart 940 includes two additional steps 942, 944 which are not found inthe flow chart 200 of FIG. 6. The additional steps 942, 944 are used tofacilitate multi-box processing. After data has been sent at the step212, control transfers from the step 212 to a test step 942 whichdetermines if the data being sent is the last data in the inactive chunkof the local storage device. If not, then control transfers from thestep 942 to the step 214 and processing continues as discussed above inconnection with the flow chart 200 of FIG. 6. Otherwise, if it isdetermined at the test step 942 that the data being sent is the lastdata of the chunk, then control transfers from the step 942 to the step944 to send a special message from the local storage device to theremote storage device indicating that the last data has been sent.Following the step 944, control transfers to the step 214 and processingcontinues as discussed above in connection with the flow chart 200 ofFIG. 6. In some embodiments, the steps 942, 944 may be performed by aseparate process (and/or separate hardware device) that is differentfrom the process and/or hardware device that transfers the data.

Referring to FIG. 20, a flow chart 950 illustrates steps performed inconnection with RA's scanning the inactive buffers to transmit RDF datafrom the local storage device to the remote storage device. The flowchart 950 of FIG. 20 is similar to the flow chart 500 of FIG. 13 andsimilar steps are given the same reference number. However, the flowchart 950 includes an additional step 952, which is not found in theflow chart 500 of FIG. 13. The additional steps 952 is used tofacilitate multi-box processing and is like the additional step 944 ofthe flowchart 940 of FIG. 19. After it is determined at the test step524 that no more slots remain to be sent from the local storage deviceto the remote storage device, control transfers from the step 524 to thestep 952 to send a special message from the local storage device to theremote storage device indicating that the last data for the chunk hasbeen sent. Following the step 952, processing is complete.

Referring to FIG. 21, a flow chart 960 illustrates steps performed atthe remote storage device in connection with providing an indicationthat the active chunk of the remote storage device is empty. The flowchart 960 is like the flow chart 300 of FIG. 9 except that the flowchart 960 shows a new step 962 that is performed after the active chunkof the remote storage device has been restored. At the step 962, theremote storage device sends a message to the local storage deviceindicating that the active chunk of the remote storage device is empty.Upon receipt of the message sent at the step 962, the local storagedevice sets an internal variable indicating that the inactive buffer ofthe remote storage device is empty. The local variable is examined inconnection with the test step 894 of the flow chart 830 of FIG. 18,discussed above.

Referring to FIG. 22, a diagram 980 illustrates the host 702, localstorage devices 703-705 and remote storage devices 706-708, that areshown in the diagram 700 of FIG. 14. The Diagram 980 also includes afirst alternative host 982 that is coupled to the host 702 and the localstorage devices 703-705. The diagram 980 also includes a secondalternative host 984 that is coupled to the remote storage devices706-708. The alternative hosts 982, 984 may be used for data recovery,as described in more detail below.

When recovery of data at the remote site is necessary, the recovery maybe performed by the host 702 or, by the host 982 provided that the linksbetween the local storage devices 703-705 and the remote storage devices706-708 are still operational. If the links are not operational, thendata recovery may be performed by the second alternative host 984 thatis coupled to the remote storage devices 706-708. The second alternativehost 984 may be provided in the same location as one or more of theremote storage devices 706-708. Alternatively, the second alternativehost 984 may be remote from all of the remote storage devices 706-708.The table 730 that is propagated throughout the system is accessed inconnection with data recovery to determine the members of the multi-boxgroup.

Referring to FIG. 23, a flow chart 1000 illustrates steps performed byeach of the remote storage devices 706-708 in connection with the datarecovery operation. The steps of the flowchart 1000 may be executed byeach of the remote storage devices 706-708 upon receipt of a signal or amessage indicating that data recovery is necessary. In some embodiments,it may be possible for a remote storage device to automatically sensethat data recovery is necessary using, for example, conventionalcriteria such as length of time since last write.

Processing begins at a first step 1002 where the remote storage devicefinishes restoring the active chunk in a manner discussed elsewhereherein. Following the step 1002 is a test step 1004 which determines ifthe inactive chunk of the remote storage device is complete (i.e., allof the data has been written thereto). Note that a remote storage devicemay determine if the inactive chunk is complete using the message sentby the local storage device at the steps 944, 952, discussed above. Thatis, if the local storage device has sent the message at the step 944 orthe step 952, then the remote storage device may use receipt of thatmessage to confirm that the inactive chunk is complete.

If it is determined at the test step 1004 that the inactive chunk of theremote storage device is not complete, then control transfers from thetest step 1004 to a step 1006 where the data from the inactive chunk isdiscarded. No data recovery is performed using incomplete inactivechunks since the data therein may be inconsistent with the correspondingactive chunks. Accordingly, data recovery is performed using activechunks and, in some cases, inactive chunks that are complete. Followingthe step 1006, processing is complete.

If it is determined at the test step 1004 that the inactive chunk iscomplete, then control transfers from the step 1004 to the step 1008where the remote storage device waits for intervention by the host. Ifan inactive chunk, one of the hosts 702, 982, 984, as appropriate, needsto examine the state of all of the remote storage devices in themulti-box group to determine how to perform the recovery. This isdiscussed in more detail below.

Following step 1008 is a test step 1012 where it is determined if thehost has provided a command to all storage device to discard theinactive chunk. If so, then control transfers from the step 1012 to thestep 1006 to discard the inactive chunk. Following the step 1006,processing is complete.

If it is determined at the test step 1002 that the host has provided acommand to restore the complete inactive chunk, then control transfersfrom the step 1012 to a step 1014 where the inactive chunk is restoredto the remote storage device. Restoring the inactive chunk in the remotestorage device involves making the inactive chunk an active chunk andthen writing the active chunk to the disk as described elsewhere herein.Following the step 1014, processing is complete.

Referring to FIG. 24, a flow chart 1030 illustrates steps performed inconnection with one of the hosts 702, 982, 984 determining whether todiscard or restore each of the inactive chunks of each of the remotestorage devices. The one of the hosts 702, 982, 984 that is performingthe restoration communicates with the remote storage devices 706-708 toprovide commands thereto and to receive information therefrom using thetags that are assigned by the host as discussed elsewhere herein.

Processing begins at a first step 1032 where it is determined if any ofthe remote storage devices have a complete inactive chunk. If not, thenthere is no further processing to be performed and, as discussed above,the remote storage devices will discard the incomplete chunks on theirown without host intervention. Otherwise, control transfers from thetest step 1032 to a test step 1034 where the host determines if all ofthe remote storage devices have complete inactive chunks. If so, thencontrol transfers from the test step 1034 to a test step 1036 where itis determined if all of the complete inactive chunks of all of theremote storage devices have the same tag number. As discussed elsewhereherein, tags are assigned by the host and used by the system to identifydata in a manner similar to the sequence number except that tags arecontrolled by the host to have the same value for the same cycle.

If it is determined at the test step 1036 that all of the remote storagedevices have the same tag for the inactive chunks, then controltransfers from the step 1036 to a step 1038 where all of the inactivechunks are restored. Performing the step 1038 ensures that all of theremote storage devices have data from the same cycle. Following the step1038, processing is complete.

If it is determined at the test step 1034 that all of the inactivechunks are not complete, or if it is determined that at the step 1036that all of the complete inactive chunks do not have the same tag, thencontrol transfers to a step 1042 where the host provides a command tothe remote storage devices to restore the complete inactive chunkshaving the lower tag number. For purposes of explanation, it is assumedthat the tag numbers are incremented so that a lower tag numberrepresents older data. By way of example, if a first remote storagedevice had a complete inactive chunk with a tag value of three and asecond remote storage device had a complete inactive chunk with a tagvalue of four, the step 1042 would cause the first remote storage device(but not the second) to restore its inactive chunk. Following the step1042 is a step 1044 where the host provides commands to the remotestorage devices to discard the complete inactive buffers having a highertag number (e.g., the second remote storage device in the previousexample). Following step 1044, processing is complete.

Following execution of the step 1044, each of the remote storage devicescontains data associated with the same tag value as data for the otherones of the remote storage devices. Accordingly, the recovered data onthe remote storage devices 706-708 should be consistent.

Referring to FIG. 25, a diagram 1120 illustrates an embodiment where astorage device 1124, which is like the storage device 24 and/or thestorage device 26, includes a plurality of directors 1152 a-1152 c thatare coupled to a memory 1126, like the memory 37 and/or the memory 38 ofthe storage devices 24, 26. Each of the directors 1152 a-1152 crepresents an HA, DA, and/or RA like the HA 28, the DA's 35 a-35 c, 36a-36 c, and/or the RA's 30 a-30 c, 32 a-32 c of the storage devices. Inan embodiment disclosed herein, there may be up to sixteen directorscoupled to the memory 1126. Of course, for other embodiments, there maybe a higher or lower maximum number of directors that may be used.

The diagram 1120 also shows an optional communication module (CM) 1154that provides an alternative communication path between the directors1152 a-1152 c. Each of the directors 1152 a-1152 c may be coupled to theCM 1154 so that any one of the directors 1152 a-1152 c may send amessage and/or data to any other one of the directors 1152 a-1152 cwithout needing to go through the memory 1126. The CM 1154 may beimplemented using conventional MUX/router technology where a sending oneof the directors 1152 a-1152 c provides an appropriate address to causea message and/or data to be received by an intended receiving one of thedirectors 1152 a-1152 c. In addition, a sending one of the directors1152 a-1152 c may be able to broadcast a message to all of the otherdirectors 1152 a-1152 c at the same time.

Refer to FIG. 26, a diagram 1200 illustrates a system that includes asource group 1202, a local destination 1204, and a remote destination1206. The source group 1202 communicates with both the local destination1204 and the remote destination 1206. The source group 1202 mayrepresent a single storage device, a plurality of storage devices, asingle or plurality of storage devices with a single host, or a singleor plurality of storage devices with multiple hosts. Data is generatedat the source group 1202 and stored at the source group 1202 andtransmitted to the local destination 1204 and the remote destination1206. In some embodiments, the local group may operate in some ways asdiscussed above in connection with the embodiment described above inconnection with FIG. 14.

In an embodiment herein, the local destination 1204 represents a singleor plurality of storage devices that are in relatively close proximityto the source group 1202 to allow for synchronous data mirroring fromthe source group 1202 to the local destination 1204. In an embodimentherein, the local destination 1204 is located in the same building, atthe same facility, and/or at the same corporate location as the sourcegroup 1202. Thus, for example, the local destination 1204 may representa backup storage device (or plurality of storage devices) managed by thesame group of individuals that manages the source group 1202.

The remote destination 1206 represents a storage device and/or aplurality of storage devices at a location that is geographicallydistant from the source group 1202. For example, the remote destination1206 may represent a storage device or group of storage devices on thewest coast of the United States while the source group 1202 is locatedon the east coast of the United States. Because of the relatively largegeographic distance between the source group 1202 and the remotedestination 1206, it may be impractical to use a synchronous orsemi-synchronous data transfer mode to mirror data on the remotedestination 1206 from the source group 1202. That is, because of thelong round trip time from the source group 1202 to the remotedestination 1206 and back to the source group 1202, it may not befeasible to use synchronous or semi-synchronous data mirroring whichprovides for acknowledgment of data at the remote destination 1206 priorto acknowledging a write to a host of the local group 1202. In suchcase, it may be possible to use ordered writes between the source group1202 and the remote destination 1206 so that the remote destination 1206is a consistent, although somewhat time delayed, mirror of the sourcegroup 1202. In such an arrangement, the related group of storage devicesmay be deemed a “consistency group” or “con group”.

A communication path 1208 may also exist between the local destination1204 and the remote destination 1206. As long as the source group 1202is operational, the communication path 1208 may not be used. However, ininstances where the source group 1202 becomes non-operational and/or ininstances where the communication links between the source group 1202and one or both of the local destination 1204 and the remote destination1206 become non-operational, then the communication path 1208 may beused to synchronize the data between the local destination 1204 and theremote destination 1206, as described in more detail elsewhere herein.In addition, a host may be provided to one of the local destination 1204or the remote destination 1206 to resume operation of the system aftersynchronization, as described in more detail elsewhere herein. Note thatif the operation is resumed with a host coupled to the local destination1204, then the communication link 1208 may be used so that the remotedestination 1206 is a mirror of the local destination 1204. Conversely,if operation is resumed by providing a host to the remote destination1206, then the communication link 1208 may be used so that the localdestination 1204 is a mirror of the remote destination 1206.

Referring to FIG. 27, a flow chart 1230 illustrates steps performed inconnection with initializing parameters at the local destination 1204 toprovide the recovery mechanism discussed herein. The recovery mechanismdescribed herein uses the Symmetrix Differential Data Facility (SDDF),which allows for a plurality sessions, each having a bitmap associatedtherewith with bits that are set to one whenever there is a write to acorresponding data location during a particular time period. If no writeoccurs to a particular location, the corresponding bit remains cleared(i.e., remains zero). In an embodiment herein, each bit may correspondto a track of data. However, for other embodiments, it is possible tohave each bit correspond to larger or smaller increments of data and itis also possible that different bits and/or different sets of bitscorrespond to different amounts of data.

Operations associated with an SDDF session include creating an SDDFsession, activating an SDDF session, clearing bits of the bitmap for anSDDF session, deactivating an SDDF session, and terminating an SDDFsession. Creating an SDDF session, clearing the bits thereof, andterminating an SDDF session are fairly self-explanatory. Activating anSDDF session causes a bit of the SDDF session bitmap to be set whenevera corresponding track (or other appropriate data increment) is written.Deactivating an SDDF session suspends the setting of bits. The SDDFmechanism discussed herein may be implemented using the descriptionprovided in U.S. Pat. No. 6,366,986, which is incorporated by referenceherein.

Processing for the flow chart 1230 begins at a first step 1232 where afirst SDDF session, SDDF_1, is created. In an embodiment describedherein, creation of an SDDF session does not cause automatic activationof the session. Following step 1232 is a step 1234 where the bits of thebitmap of the SDDF session created at the step 1232 are cleared.Following step 1234 is a step 1236 where a second SDDF session, SDDF_2,is created. Following step 1236 is a step 1238 where the bits of thebitmap of the SDDF session created at the step 1236 are cleared.

Following the step 1238 is a step 1242 where a state is initialized. Thestate initialized at the step 1242 may be used to determine which of theSDDF sessions, SDDF_1 or SDDF_2, will be activated. As described in moredetail elsewhere herein, there may be two possible states and the stateset at the step 1242 may be toggled to cause the SDDF_1 session and theSDDF_2 session to be alternatively activated. In other embodiments, atoken or some other type of variable may be used to indicate theselection of either SDDF_1 or SDDF_2. Following the step 1242 is a step1244 where SDDF_1 is activated. Activating SDDF_1 at the step 1244causes the bits of the bit map of the SDDF_1 session to be set whenevera track (or other data increment) of the local destination 1204 ismodified.

The SDDF_1 and SDDF_2 sessions are used by the local destination 1204 tokeep track of the active and inactive buffers used by the source group1202 in connection with ordered writes by the source group 1202 to theremote destination 1206. As discussed in more detail elsewhere herein,each time the source group 1202 makes a cycle switch in connection withordered writes from the source group 1202 to the remote destination1206, the source group 1202 sends a message to the local destination1204 indicating that a cycle switch has been performed so that the localdestination 1204 may toggle the state (initialized in the step 1242,discussed above). Use of the cycle switch information by the localdestination 1204 is discussed in more detail elsewhere herein.

Referring to FIG. 28A, a flow chart 1250 illustrates steps performed bythe local destination 1204 in connection with receiving an I/O from thesource group 1202 during normal (i.e., non-failure) operation.Processing begins at a first step 1252 where the I/O is received by thelocal destination 1204. Following the step 1252 is a test step 1254which determines if the I/O received from the source group 1202indicates that the local group 1202 is ready to switch in connectionwith ordered writes between the local group 1202 and the remotedestination 1206. The local group 1202 being ready to switch isdescribed in more detail elsewhere herein.

If the received data indicates that the local group 1202 is ready toswitch, then control transfers from the step 1254 to a step 1256, whereit is determined if the inactive one of the SDDF sessions (SDDF_1 orSDDF_2) is clear. In some embodiments, the SDDF sessions may be clearedat the step 1256. In other instances, the amount of time needed to clearan SDDF session at the step 1256 would be unacceptable, in which casemore than two SDDF sessions may be used for SDDF_1 and SDDF_2 and may berotated so that an SDDF session that is about to be activated is alwayscleared asynchronously. In any event, the processing performed at thestep 1256 relates to clearing the inactive one of SDDF_1 and SDDF_2 sothat, after performing the step 1256, the inactive session is clear.

Following the step 1256 is a step 1258 where the inactive one of theSDDF sessions is activated so that both SDDF_1 and SDDF_2 are activatedafter performing the processing at the step 1258. Thus, subsequentwrites-reflected in the bitmaps for both SDDF_1 and SDDF_2. Followingthe step 1258, processing is complete.

If it is determined at the step 1254 that the received data does notcorrespond to a ready to switch signal, then control transfers from thestep 1254 to a test step 1262 where it is determined if the receiveddata corresponds to a cycle switch being performed. If so, then controltransfers from the step 1262 to a step 1264 where the state, initializedat the step 1242 of the flow chart 1230 of FIG. 27, is toggled. Asdiscussed elsewhere herein, the state is used to determine which one ofSDDF_1 and SDDF_2 will be activated and deactivated. Following the step1264 is a step 1266, where one of the SDDF sessions, SDDF_1 or SDDF_2,is deactivated, depending on the particular value of the state set atthe step 1264. Note that even though an SDDF session is deactivated atthe step 1266, that SDDF session is not cleared until the next ready toswitch signal is received. Of course, if more than two SDDF sessions areused for SDDF_1 and SDDF_2, as discussed above, then the SDDF sessiondeactivated at the step 1266 may be maintained while another SDDFsession is cleared to prepare for being activated at the step 1258,discussed above.

If it is determined at the step 1262 that the received data does notcorrespond to a cycle switch, then control transfers from the test step1262 to a step 1268 where the I/O is performed. For example, if the I/Ois a write operation, then, at the step 1268, data is written to thestorage area of the local destination 1204. Following step 1268 is astep 1272 where it is determined if the I/O operation is a writeoperation. If not (e.g., the I/O operation is a read operation), thenprocessing is complete. Otherwise, control transfers from the step 1272to a step 1274 where a bit is set in the appropriate one of the SDDFsessions, SDDF_1, SDDF_2, or both depending upon which one of the SDDFsessions is activated. Following step 1274, processing is complete.

In some instances, it may not be desirable to wait to clear an SDDFbitmap just prior to pointing the same SDDF bitmap. In those cases, itmay be useful to have more than two SDDF bitmaps where two at a time areused like SDDF_1 and SDDF_2 while the remainder of the SDDF bitmaps arealready clear and waiting to be used or are being cleared using abackground process. For example, using three bitmaps SDDF_A, SDDF_B, andSDDF_C, SDDF_1 may correspond to SDDF_A while SDDF_2 may correspond toSDDF_C. In such a case, SDDF_B may be cleared while processing is beingperformed on SDDF_A and SDDF_C. When the cycle switches, SDDF_B (whichis already clear) may be used while SDDF_C is cleared using a backgroundprocess that may run even after the cycle switch is complete and newdata is being logged to SDDF_B.

Referring to FIG. 28B, a flow chart 1280 illustrates an alternativeembodiment that uses a plurality of SDDF bitmaps, SDDF[0], SDDF[1], . .. SDDF[NMAPS−1], where NMAPS is the number of SDDF maps. In anembodiment herein, NMAPS is greater than two (e.g., three). Many of thestep of the flow chart 1280 are like steps of the flow chart 1250 ofFIG. 28A.

Processing begins at a first step 1282 where the I/O is received by thelocal destination 1204. Following the step 1282 is a test step 1283which determines if the I/O received from the source group 1202indicates that the local group 1202 is ready to switch in connectionwith ordered writes between the local group 1202 and the remotedestination 1206. The local group 1202 being ready to switch isdescribed in more detail elsewhere herein.

If the received data indicates that the local group 1202 is ready toswitch, then control transfers from the step 1283 to a step 1284 wherean index, K, is incremented and the result thereof is set to moduloNMAPS. Following the step 1284 is a step 1285, where it is confirmedthat SDDF[K] is clear. Following the step 1285 is a step 1286 whereSDDF[K] is activated so that both SDDF[K] and SDDF[K−1] are activatedafter performing the processing at the step 1286. Thus, subsequentwrites reflected in the bitmaps for both SDDF[K] and SDDF[K−1].Following the step 1286, processing is complete. Note that, if K iszero, then SDDF[K−1] actually refers to SDDF[NMAPS−1].

If it is determined at the step 1283 that the received data does notcorrespond to a ready to switch signal, then control transfers from thestep 1283 to a test step 1287, where it is determined if the receiveddata corresponds to a cycle switch. If it is determined at the step 1287that the received data corresponds to a cycle switch (see discussionabove in connection with the flow chart 1250 of FIG. 28A), then controltransfers from the step 1287 to a step 1288 where the state (discussedabove) is toggled. Following the step 1288 is a step 1289 where avariable J is set equal to (K−2) modulo NMAPS. Since K is an indexvariable used to keep track of the most recently activated SDDF bitmap,setting J at the step 1289 causes J to point to the third most recentlyactivated SDDF bitmap. Following the step 1289 is a step 1292 where aprocess is started to clear the SDDF[J] bitmap. As discussed elsewhereherein, it is not necessary for the process begun at the step 1292 to becompleted in order to complete the cycle switch and to beginaccumulating new data.

Following the step 1292 is a step 1294 where a variable J is set equalto (K−1) modulo NMAPS. Since K is an index variable used to keep trackof the most recently activated SDDF bitmap, setting J at the step 1294causes J to point to the second most recently activated SDDF bitmap.Following the step 1294 is a step 1296 where SDDF[J] is deactivated.However, even though SDDF[J] is deactivated at the step 1296, the datais maintained for restoration purposes until the next cycle switch.Following the step 1296, processing is complete.

Referring to FIG. 28C, a flow chart 1300 illustrates yet anotherembodiment for processing related to the local destination 1204receiving an I/O from the source group 1202 during normal (i.e.,non-failure) operation. Processing begins at a first step 1302 where theI/O is received by the local destination 1204. Following the step 1302is a test step 1304 where it is determined if the received datacorresponds to a cycle switch being performed. If so, then controltransfers from the step 1304 to a test step 1306 where it is determinedif two or more cycle switches have occurred since the last time thestate was toggled. If not, then processing is complete. Otherwise,control transfers from the step 1306 to a step 1307 where it isdetermined if the currently inactive SDDF session, SDDF_X, is clear. Ifso, then control transfers from the step 1307 to a step 1308 where thestate, initialized at the step 1242 of the flow chart 1230 of FIG. 27,is toggled. As discussed elsewhere herein, the state is used todetermine which one of SDDF_1 and SDDF_2 will be activated anddeactivated.

Following the step 1308 is a step 1309 where one of the SDDF sessions,SDDF_1 or SDDF_2, as indicated by the state, is activated. Following thestep 1309 is a step 1312 where the other one of the SDDF sessions isdeactivated. Following the step 1312, processing is complete.

If it is determined at the test step 1307 that SDDF_X is not clear, thencontrol transfers from the step 1307 to a step 1313, where it isdetermined if clearing SDDF_X has already been started (i.e., in aprevious iteration). If so, then processing is complete. Otherwise,control transfers from the step 1313 to a step 1314, where a process toclear SDDF_X is begun. Following the step 1314, processing is complete.

If it is determined at the step 1304 that the received data does notcorrespond to a cycle switch, then control transfers from the test step1304 to a step 1316 where the I/O is performed. For example, if the I/Ois a write operation, then, at the step 1316 data is written to thestorage area of the local destination 1204. Following step 1316 is astep 1317 where it is determined if the I/O operation is a writeoperation. If not (e.g., the I/O operation is a read operation), thenprocessing is complete. Otherwise, control transfers from the step 1317to a step 1318 where a bit is set in the appropriate one of the SDDFsessions, SDDF_1 or SDDF_2, (SDDF_X or SDDF_Y) depending upon which oneof the SDDF sessions is activated. Following step 1318, processing iscomplete.

Referring to FIG. 29, a flow chart 1320 illustrates steps performed inconnection with collecting recovery data at the remote destination 1206.Unlike the local destination 1204, which is always collecting recoverydata during steady state operation, the remote destination 1206 may notcollect recovery data unless and until it receives a signal to do so. Inan embodiment herein, the source group 1202 may provide such a signal tothe remote destination 1206 when, for example, the source group 1202detects that the link(s) between the source group 1202 and the localdestination 1204 are not working and/or when the source group 1202detects that the local destination 1204 is not appropriately receivingor processing data. In other embodiments or in other situations, theremote destination 1206 may receive an appropriate signal from alocation or element other than the source group 1202.

Processing begins at a first step 1322 where a third SDDF session,SDDF_3 is created. Following the step 1322 is a step 1324 where thebitmap of the SDDF session created at the step 1322 is cleared.Following step 1324 is a step 1326 where a token value (described inmore detail elsewhere herein) is set to zero. Following the step 1326,processing is complete.

Referring to FIG. 30, a flow chart 1330 illustrates steps performed bythe remote destination 1206 in connection with collection of recoverydata. Processing begins at a first step 1331 where the remotedestination 1206 waits for a failure message from the source group 1202or from some other source, as appropriate. Once a failure message hasbeen received, control transfers from the step 1331 to a step 1332 whereSDDF_3 session is activated to begin collecting data regarding thetracks (or other appropriate data increments) of the remote destination1206 to which a write has been performed. Note, however, that SDDF_3reflects writes that have been committed (i.e.,. are one behind thecurrent cycle being received).

Following the step 1332 is a step 1333 where a token value (describedbelow) is initialized to zero. Following the step 1333 is a step 1334where the remote destination 1206 receives an I/O from the source group1202. Note that the I/O received at the step 1334 may represent orderedwrites data that the local group 1202 sends to the remote destination1206 in non-failure mode.

Following the step 1334 is a test step 1336 which determines if the I/Oreceived from the source group 1202 at the step 1334 indicates a cycleswitch by the source group 1202. If not (i.e., the data is conventionalordered writes data to be written to the remote destination 1206 or someother type of data), then control transfers from the test step 1336 backto the step 1334 to receive the next I/O.

If it is determined at the test step 1336 that the data from the sourcegroup 1202 indicates a cycle switch, then control transfers from thetest step 1336 to a step 1338 to increment the token, which keeps trackof the number of cycle switch since beginning collection of recoverydata. Following the step 1338 is a step 1342 where the bitmap of theSDDF_3 is set to reflect data of the committed cycle that had beenwritten. Note that the processing at the step 1342 may be performedautomatically in connection with operation of the activated SDDFsessions, in which case in may not be necessary to make the step 1342part of the recovery process shown if FIG. 30.

Note that the committed cycle is the cycle used to collect data prior tothe cycle switch. Following the step 1342 is a test step 1344 whichdetermines if processing is complete (i.e., collection of error recoverydata is complete). Processing may be complete if the error situation(e.g., failed link from the local group 1202 to the local destination1204) has been rectified or, for example, if the local destination 1204and the remote destination 1206 are being synchronized (discussedbelow). If it is determined at the step 1344 that processing is notcomplete, then control transfers from the test step 1344 back to thestep 1334 to receive another I/O. Otherwise, control transfers from thestep 1344 back to the step 1331 to wait for a new failure message. Notethat, in some embodiments, processing being complete at the step 1344may also cause certain recovery parameters to be reset, as discussed inmore detail below.

Referring to FIG. 31, a flow chart 1360 indicates steps performed inconnection with synchronizing the local destination 1204 and the remotedestination 1206. As discussed above, the local destination 1204 and theremote destination 1206 may be synchronized by transferring datatherebetween using the communication link 1208. After synchronization,the system may be restarted at the local destination 1204 or at theremote destination 1206 using the other as a mirror.

In connection with the synchronization, it may be useful to decide whichof the local destination 1204 and remote destination 1206 has the latest(i.e., the most up-to-date) data so that the data is transferred fromthe one of the remote destination 1206 and local destination 1204 thathas the most up-to-date data to the other.

Processing for the flow chart 1360 begins at a first step 1362, wherethe links are dropped between the source group 1202 and the localdestination 1204 and the links are dropped between the source group 1202and the remote destination 1206. Dropping the links at the step 1362helps ensure that the synchronization process will not be corrupted.Following the step 1362 is a step 1364 where the SDDF maps, createdwhile recovery information was being collected, is preserved. Followingthe step 1364 is a step 1366 where ordered writes between the sourcegroup 1202 and the local destination 1204 is terminated, for reasonssimilar to dropping the links at the step 1362.

Following the step 1366 is a test step 1368 where it is determined ifthe token value (discussed above) is greater than a predetermined valueN. Note that the token value indicates the number of cycle switches thathave occurred since collection of error recovery data began at theremote destination 1206. If the link between the source group 1202 andthe local destination 1204 has not been working and the remotedestination 1206 has begun collection of recovery data, then the remotedestination 1206 may contain more up-to-date data than the localdestination 1204. This will be determined by looking at the value of thetoken, which indicates the number of cycle switches that have occurredsince the remote destination 1206 received a signal to begin collectingrecovery data. Thus, if it is determined at the test step 1368 that thetoken is greater than some pre-determined value N (e.g., two), thencontrol transfers from the test step 1368 to a step 1371, where thebitmaps for all of the SDDF sessions (SDDF_1, SDDF_2, and SDDF_3) areORed (using an inclusive OR) to determine the tracks (or other dataamounts) of the remote destination 1206 and possibly of the localdestination 1204 that correspond to data for the active and inactivebuffers sent or in transit between the source group 1202 and the remotedestination 1206 prior to failure of the source group as well aspossible data that may be different on the local destination 1204.

Following the step 1371 is a step 1372 where the remote destination 1206sends data from the tracks corresponding to the set bits of the bitmapthat was the result or ORing the three bitmaps for SDDF_1, SDDF_2, andSDDF_3. The data from these tracks may be copied to the localdestination 1204 so that the remote destination 1206 and the localdestination 1204 may be synchronized. Following the step 1372,processing is complete. In an embodiment herein, N may be set to be nolower than two. Also, note that it may be possible to resume operationwith a host coupled to an appropriate one of the local destination 1204or the remote destination 1206 prior to completion of the copiesinitiated at the step 1376 or at the step 1372.

If it is determined at the test step 1368 that the token does not have avalue greater than N (e.g., the token is zero), then control transfersfrom the test step 1368 to a step 1374 where the bitmaps for all of theSDDF sessions (SDDF_1, SDDF_2, and, if it exists, SDDF_3) are ORed(using an inclusive OR) to determine the tracks (or other data amounts)of the local destination 1204 that correspond to data for the active andinactive buffers sent or in transit between the source group 1202 andthe remote destination 1206 prior to failure of the source group 1202.Following the step 1374 is a step 1376 where the data corresponding tothe ORing of the bitmaps is sent from the local destination 1204 to theremote destination 1206 via the communication link 1208. Once the datais sent from the local destination 1204 to the remote destination 1206,then the local destination 1204 and the remote destination 1206 will besynchronized. Following the step 1376, processing is complete.

The step 1372, 1374, 1376 may be accomplished using any number ofappropriate techniques. For example, a background copy may be initiatedto copy the data using bits indicated by the result of ORing the bitmapsof the SDDF sessions. In an embodiment herein, the steps 1372, 1374,1376 are performed using RDF, where an R1/R2 pair is first establishedusing, for example, the dynamic RDF mechanism disclosed in U.S. Pat. No.6,862,632, which is incorporated by reference herein. Following that,the bitmaps may be used to modify device table maps in one or both ofthe local destination 1204 and the remote destination 1206 to cause theRDF mechanism to perform a background copy.

Referring to FIG. 32, a flow chart 1380 illustrates in more detail stepsperformed in connection with the terminate ordered writes step 1366 ofthe flow chart 1360 of FIG. 31. Note that the processing of FIG. 32illustrates clean up when the source group 1202 uses a single storagedevice. In instances where the source group 1202 includes more than onestorage device, then the processing illustrated by the FIG. 23 may beused instead.

Processing begins at a first test step 1382 where it is determined ifall of the ordered writes data received by the remote destination 1206from the source group 1202 has been completely processed (saved by theremote destination). That is, at the test step 1382, it is determined ifthere is any data at the remote destination 1206 corresponding toordered writes cycles that have not been stored on the disk space of theremote destination 1206 or at least in the cache and marked for write tothe disk space. If it is determined at the test step 1382 that allordered writes data has been processed at the remote destination 1206,then processing is complete.

If it is determined at the test step 1382 that some of the orderedwrites data from the source group 1202 has not been processed, thencontrol transfers from the test step 1382 to a test step 1384 whichdetermines if the received, but unprocessed, ordered writes data at theremote destination 1206 corresponds to a complete ordered writes cycle.Note that, as the source group 1202 sends data corresponding to aparticular cycle to the remote destination 1206, the cycle at the remotedestination 1206 is not complete unless and until a commit message issent from the source group 1202 to the remote destination 1206. If it isdetermined at the test step 1384 that the unprocessed data correspondsto a complete ordered write cycle, then control transfers from the teststep 1384 to a step 1385 where the data for the cycle is stored bysaving the data to the disk of the remote destination 1206 and/ormarking the data in the cache of the remote storage device 1206 forwrite to the disk thereof. Following the step 1385, processing iscomplete.

If it is determined at the test step 1384 that the unprocessed orderedwrites data from the source group 1202 does not correspond to a completecycle, then control transfers from the test step 1384 to a step 1386where invalid bits are set on the device table of the remote destination1206. The invalid bits set at the step 1386 indicate that tracks (orsome other data increment) of the remote destination 1206 containinvalid data and thus need to be copied from another device to bebrought up-to-date. In this instance, the other device may be the localdestination 1204, depending upon which of the local destination 1204 andthe remote destination 1206 contains the most up-to-date information.The particular tracks (or other data elements) that are set to invalidin the device table of the remote destination 1206 correspond to thetracks indicated by the unprocessed ordered writes data received fromthe source group 1202. Following step 1386 is a step 1387 where theunprocessed ordered writes data for the incomplete cycle is discarded.Following step 1387, processing is complete.

Referring to FIG. 33, a flow chart 1390 illustrates in more detail stepsperformed in connection with the step 1376 where data is copied from thelocal destination 1204 to the remote destination 1206 or the step 1372where data is copied from the remote destination 1206 to the localdestination 1204. Processing begins at a first step 1392 where the OR ofSDDF_1, SDDF_2, and SDDF_3 (from the step 1374) is used to set a devicetable at whichever one of the local destination 1204 and the remotedestination 1206 will be the R1 device after recovery. If data is to becopied from the R1 device to the R2 device, then the device tablelocations corresponding to remote tracks are set at the step 1392.Otherwise, if data is to be copied from the R2 device to the R1 device,then the device table locations corresponding to local tracks are set atthe step 1392. In many instances, the tracks corresponding to themodification of the table at the step 1392 will be the same or asuperset of the modification to the table from the step 1386, discussedabove.

Following step 1392 is a step 1396 where the background copy process isbegun. The background copy process begun at the step 1396 causes data tocopied in a background process. Following step 1396, processing iscomplete.

Referring to FIG. 34, a flow chart 1450 illustrates steps performed inconnection with reinitializing the recovery parameters once normaloperation is restored between the source group 1202, the localdestination 1204, and the remote destination 1206. Processing begins ata first step 1452 where both of the SDDF sessions, SDDF_1 and SDDF_2,are deactivated. Following the step 1452 is a step 1454 where SDDF_1 iscleared. Following step 1454 is a step 1456 where SDDF_2 is cleared.Following the step 1456 is a step 1458 with a pointer that points to oneof the SDDF sessions is made to point SDDF_1. Following step 1458 is astep 1462 where SDDF_1 is activated. Following step 1462, processing iscomplete.

Referring to FIG. 35, a flow chart 1470 illustrates steps performed inconnection with resetting recovery parameters used by the remotedestination 1206. Processing begins at a first step 1472 where SDDF_3 isdeactivated. Following the step 1472 is a step 1474 where SDDF_3 iscleared. Following the step 1474 is a step 1476 where the token used bythe remote destination 1206 is cleared (set to zero). Following the step1476, processing is complete. Note that, in some embodiments, it ispossible to also terminate SDDF_3 at or after the step 1472 so thatSDDF_3 may be recreated at the step 1322 of the flow chart 1320 of FIG.29, discussed above.

Referring to FIG. 36, a diagram shows a possible configuration of thesource group 1202. In the diagram of FIG. 36, the source group 1202includes a host 1502 coupled to a single local storage device 1504. Thelocal storage device 1202 is coupled to both the local destination 1204and the remote destination 1206. In the configuration shown in FIG. 36,all of the processing described herein may be performed by the localstorage device 1504 or, alternatively, some of the processing may beperformed by the host 1502, as appropriate.

Referring to FIG. 37, a diagram shows another configuration of thesource group 1202 where a host 1512 is coupled to a plurality of localstorage devices 1514-1516. Each of the local storage devices 1514-1516is coupled to both the local destination 1204 and the remote destination1206. In the configuration shown in FIG. 37, the host 1512 may handlesome of the processing described herein such as, for example, cycleswitching for all of the local storage devices 1514-1516 in connectionwith ordered writes.

In some instances, it may be desirable to prevent cycle switching ifthere is difficulty with data transfers between the source group 1202and the local destination 1204. Of course, in instances of completefailure of the local destination 1204 or complete failure of linksbetween the source group 1202 and the local destination 1204, the systemmay stop working completely and recovery will proceed as describedabove. However, in other cases where there may be intermittent failure(e.g., transient connectivity loss for the links between the sourcegroup 1202 and the local destination 1204), it may be desirable tosimply not cycle switch on the source group 1202 in connection withcommunication between the source group 1202 and remote destination 1206,unless and until corresponding data is first successfully transferredfrom the source group 1202 to the local destination 1204. Thisenhancement is described below.

Referring FIG. 38, a flow chart 200′ illustrates a modified portion ofthe flow 200 of FIG. 6, which shows steps performed in connection withtransferring data from an inactive one of the lists 72, 74 (shown inFIG. 3) to another storage device. The flow chart 200′ shows the step204 and the step 212 which are also in the flow chart 200 and describedabove in connection with the text that explains FIG. 6. However, as setforth in more detail below, the flow chart 200′ contains additional newsteps that are not provided in the flow chart 200 of FIG. 6.

Following the step 204 is a test step 1602 which determines if the databeing transferred to another storage device is special data. As used inconnection with the flow chart 200′, special data at the step 1602refers to data being transmitted from the source group 1202 to both thelocal destination 1204 and to the remote destination 1206. In anembodiment herein, special data may be identified using built inmechanisms to determine if the data is queued for transfer to both thelocal destination 1204 and the remote destination 1206. Of course, othermechanisms for identifying and testing for special data may be used.

If it is determined at the test step 1602 that the data is not specialdata, then control transfers from the step 1602 to the step 212 to sendthe data as described above in connection with the flow chart 200 ofFIG. 6. Following the step 212, processing continues as shown in theflow chart 200 of FIG. 6 and described elsewhere herein. If it isdetermined that the test step 1602 that the data being sent is specialdata (is being transferred from the source group 1202 to both the localstorage device 1204 and the remote storage device 1206), then controltransfers from the test step 1602 to a test step 1604 where it isdetermined if the particular transfer being examined is a transfer ofthe special data from the source group 1202 to the remote destination1206. As discussed elsewhere herein, it is desirable to avoid sendingdata from the source group 1202 to the remote destination 1206 unlessand until the data has first been successfully transferred from thesource group 1202 to the local destination 1204. Thus, the test at thestep 1604 determines if the specific data transfer being examined is atransfer from the source group 1202 to the remote destination 1206. Ifnot, then control transfers from the test step 1604 to the step 212 tocontinue processing, as described elsewhere herein. Otherwise, if it isdetermined at the test step 1604 that the data being examinedcorresponds to a transfer from the source group 1202 to the remotedestination 1206, then control transfers from the test step 1604 to atest step 1606, which determines if the corresponding transfer of thedata from the source group 1202 to the local destination 1204 hadpreviously completed successfully. That is, for a given slot or portionof data being transferred to both the remote destination 1206 and thelocal destination 1204, the test at the step 1606 determines if thetransfer from the source group 1202 to the local destination 1204 wasperformed successfully. If not, control transfers from the test step1606 to a step 1607, where error processing/testing are performed.

In some cases, the inability to transfer data from the source group 1202to the local destination 1204 causes the system to begin accumulatingdata at the remote destination 1206 by, for example, causing a failuremessage to be sent to the remote destination (see the flow chart 1330 ofFIG. 30 and corresponding description) and by exiting from theprocessing illustrated by the flow chart 200′ of FIG. 38 so that data issent from the source group 1202 to the remote destination 1206irrespective of whether the data was ever successfully sent from thesource group 1202 to the local destination 1204. Other processing mayoccur such as, for example, setting invalid bits in a device table fordata that is not transferred from the source group 1202 to the localdestination 1204. Note that if the connection between the source group1202 and the local destination 1204 is reestablished, it is possible tosynchronize the remote destination 1204 and then resume steady stateoperation as described herein (e.g., the steps of the flow chart 200′).

The criteria for determining whether or not to perform theabove-described error processing may be set according to a number offunctional factors discernible by one of ordinary skill in the art. Inan embodiment herein, the criteria is set according to the likelihoodthat there is a failure of the link between the source group 1202 andthe local destination 1204 and/or a failure of the local destination1204. For example, the error processing at the step 1607 may determinethat a failure has occurred if a certain amount of time has passedwithout data being successfully transferred from the source group 1202to the local destination 1204. If the error processing at the step 1607determines that a failure has not occurred (and thus processing shouldcontinue), then control transfers from the step 1607 to a test step1608, which determines if there is more inactive data to be sent fromthe source group 1202 to the remote destination 1206. If so, thencontrol transfers from the test step 1608 to a step 1612 where a pointerthat iterates through the data (e.g., iterates through elements of theinactive one of the lists 74, 76) is adjusted to point to the nextinactive block of data to be sent. Following the step 1612, controltransfers back to the step 204, to continue processing as discussedelsewhere herein.

If it is determined at the test step 1608 that there is not moreinactive data to be sent, then control transfers from the test step 1608to a step 1614 where the process waits. Since it has already beendetermined that the data being sent corresponds to a transfer from thesource group 1202 to the remote destination 1206 (at the test step1604), and it has been established that the corresponding transfer fromthe source group 1202 to the local destination 1204 has not completedyet (according to the test at the step 1606), then if it is determinedat the test step 1608 that there is no more data to be sent, then it isappropriate to wait at the step 1614 so that either more inactive datawill be made available to send or until another process successfullytransfers corresponding data from the source group 1202 to the localdestination 1204, thus altering the result at the test step 1606 for thenext iteration. Following the step 1614, control transfers back to thestep 204 to continue processing as described elsewhere herein.

If it is determined at the test step 1606 that the correspondingtransfer to the local destination 1204 had previously completedsuccessfully, then control transfers from the test step 1606 to anothertest step 1616 to determine if the data being transferred has more thanone slot associated therewith in connection with the transfer (e.g., anactive slot and an inactive slot). As discussed elsewhere herein, undercertain conditions, it is possible for there to be more than one slotassociated with what would otherwise be a single slot. See, for example,the discussion above in connection with the flow chart 440 of FIG. 12and the steps 446, 472, 474, 476, 478. Thus, if it is determined at thetest step 1616 that there is not more than one slot, then controltransfers from the test step 1616 to the step 212, to continueprocessing as described elsewhere herein. Otherwise, if it is determinedat the test step 1616 that there is more than one corresponding slot,then control transfers from the test step 1616 to a test step 1618,which determines if the transfer of the other slots to the local storagedevice 1204 had been successful, like the test for the slot at the step1606. If it is determined at the test 1618 that all of the othercorresponding slots were transferred properly to the local storagedevice 1204, then control transfers from the test step 1618 to the step212 to continue processing as described elsewhere herein. Otherwise,control transfers from the test step 1618 to the step 1608, alsodescribed elsewhere herein.

In another embodiment of the system described herein, it is possible tonot use COVD's for the R2 device like those shown in the diagram 240 ofFIG. 7. That is, it is possible to implement the R2 receipt ofasynchronous data without using COVD's at the R2 device.

Referring to FIG. 39, a diagram 1640 shows a cache 1642 that is providedin the remote storage device 26 that receives data. The cache 1642includes a plurality of slots 1652-1654 in which asynchronous data thatis received from the local storage device 24 is placed. Also shown is afirst circularly linked list 1674 and a second circularly linked list1676 which contain pointers to the slots 1652-1654 of the cache 1642.Thus, for example, the circularly linked list 1674 includes a pluralityof pointers 1681-1685, each of which points to one of the slots1652-1654 in the cache 1642. Similarly, the circularly linked list 1676includes a plurality of pointers 1691-1695, each of which points to oneof the slots 1652-1654 of the cache 1642. A standard logical device 1698is also mapped to portions of the cache 1642.

In an embodiment herein, one of the lists 1674, 1676 corresponds to aninactive data chunk (e.g., like the chunk 56 shown in FIG. 2), while theother one of the lists 1674, 1676 corresponds to an active data chunk(e.g., like the chunk 58 of FIG. 2). Received data is accumulated usingan inactive one of the data chunks while the active one of the datachunks is used for storing data at the standard logical device 1698 asdescribed elsewhere herein in connection with the diagram 240 of FIG. 7and the corresponding text. Thus, as new data arrives, it is placed inthe cache 1642 and a new pointer is added to which one of the circularlylinked lists 1674, 1676 corresponds to the inactive data chunk when thedata is received.

In some instances, it may be useful to be able to determine whether aportion of the standard logical device 1698 (or any other logicaldevice) has a slot associated therewith in the cache 1642 correspondingto received data. Of course, it is always possible to traverse both ofthe lists 1674, 1676 to determine if there is a corresponding slot inthe cache 1642. However, it would be more useful if there were a way ofusing particular device, cylinder, and head values of a logical deviceto determine whether there is a corresponding one of the slots 1652-1654in the cache 1642 waiting to be destaged to the device.

Referring to FIG. 40, a diagram 1700 shows a hash table 1702 whichcontain a plurality of entries 1704-1706. In an embodiment herein, eachof the entries 1704-1706 either contains a null pointer or points to oneof the cache slots 1652-1654 that correspond to data that has beenreceived but not yet stored on the standard logical device 1698 (oranother standard logical device). The table 1702 is indexed using a hashfunction that performs a mathematical operation using the particularvalues of the device, cylinder, and head to generate an index into thetable 1702 to find the corresponding entry. Thus, when data is receivedby the R2 device, the hash function is applied to the device, cylinder,and head to find its index value into the table 1702 and then a pointeris written to the corresponding one of the entries 1704-1706 that pointsto the particular slot 1652-1654 in the cache 1642. Once the receiveddata is appropriately destaged to the standard logical device 1698 (oranother device), the corresponding one of the entries 1704-1706 is setto null. In this way, the hash table 1702 allows quickly determiningwhether a particular portion of a standard logical device corresponds toreceived data that has not yet been destaged. For the system describedherein, any appropriate hash function may be used to generate the indexinto the table 1702.

In some instances, it may possible for a particular device, cylinder,and head values to generate an index into the table 1702 that is thesame as an index generated by different values for the device, cylinder,and head. This is called a “collision”. In instances where collisionsoccur, a second entry into the table 1702 corresponding to the sameindex as provided and the second entry is linked to the first entry sothat a particular index would correspond to more than one entry. This isillustrated by an element 1708 that is linked to the element 1705 of thetable 1702. Thus, a first device, cylinder, and head are hashed togenerate and index to the entry 1705 while different device, cylinder,and head are input to the hash function to generate the same value forthe index. In an embodiment herein, the entry 1705 is used to point tothe data in the cache 1642 corresponding to the first device, cylinder,and head while the entry 1708 is used to point to data in the cache 1642corresponding to the second device, cylinder and head. Of course, asdata is destaged to an appropriate device, the corresponding one of theentries 1705, 1708 may be eliminated from the table 1700.

Note that any number of entries may correspond to a single index sothat, for example, if collisions occur that cause three separate sets ofvalues for device, cylinder, and head to generate the same index, thenthere would be three (or more) entries linked together at a particularindex into the table 1702. Note also that other appropriate techniquesmay be used to handle collisions, including providing additional tables(e.g., a second table, a third table, a fourth table, etc.).

Referring to FIG. 41, a diagram 1720 shows an alternative embodiment ofa hash table 1722 which contain a plurality of entries 1724-1726. Theembodiment of FIG. 41 is like the embodiment of FIG. 40, with a fewdifferences, as described herein. Each of the entries 1724-1726 eithercontains a null pointer or points to one of the cache slots 1728, 1732,1734, shown in the diagram 1720, that correspond to data that has beenreceived but not yet stored on the standard logical device 1698 (oranother standard logical device). The table 1722 is indexed using a hashfunction that performs a mathematical operation using the particularvalues of the device, cylinder, and head to generate an index into thetable 1722 to find the corresponding entry. Thus, when data is receivedby the R2 device, the hash function is applied to the device, cylinder,and head to find its index value into the table 1722 and then a pointeris written to the corresponding one of the entries 1724-1726 that pointsto the particular slot 1728, 1732, 1734. Once the received data isappropriately destaged to the standard logical device 1698 (or anotherdevice), the corresponding one of the entries 1724-1726 is adjustedappropriately. In this way, the hash table 1722 allows quicklydetermining whether a particular portion of a standard logical devicecorresponds to received data that has not yet been destaged. For thesystem described herein, any appropriate hash function may be used togenerate the index into the table 1722.

For the embodiment shown in FIG. 41, in instances where collisionsoccur, the first slot pointed to by a table entry points to the secondslot that caused the collision. Thus, for example, if the slot 1732 anda slot 1736 cause a collision at the table entry 1725, the table entry1725 points to the slot 1732 while the slot 1732 points to the slot1736. Thus, a collision does not cause any change in the table 1722 whenthe subsequent slot is added, since adding the subsequent slot simplyinvolves changing the pointer value for a previous slot. Of course, anynumber of slots may correspond to a single table entry.

Note that any number of entries may correspond to a single index sothat, for example, if collisions occur that cause three separate sets ofvalues for device, cylinder, and head to generate the same index, thenthere would be three (or more) entries linked together at a particularindex into the table 1702. Note also that other appropriate techniquesmay be used to handle collisions, including providing additional tables(e.g., a second table, a third table, a fourth table, etc.).

In some instances, it may be advantageous to be able to use somethingother than the local destination 1204 shown in the diagram 1200 of FIG.26. Of course, if the local destination 1204 is not a full mirror of thesource group, then recovery would be performed at the remote destination1206. However, the remote destination 1206 may not contain data that isas up-to-date as data that was synchronously written from the sourcegroup 1202 to the local destination 1204. Accordingly, it is desirableto be able to recover at the remote destination 1206 but have data thatis as up-to-date as data synchronously written from the source group1202 to the local destination 1204.

Referring to FIG. 42, a diagram 1780 shows a system containing a sourcegroup 1782 like the source group 1202 of the diagram 1200 of FIG. 26.The diagram 1780 also shows a remote destination 1786 like the remotedestination 1206 of the diagram 1200 of FIG. 26.

The diagram 1780 also shows a minimal storage local destination 1788,which is used to receive synchronous data writes from the source group1782. In an embodiment herein, the minimal storage local destination1788 appears to the source group 1782 to be a storage device like thelocal destination 1204 of the diagram 1200 of FIG. 26. However, in anembodiment herein, the minimal storage local destination 1788 is not amirror of the source group 1782. Instead, the minimal storage localdestination 1788 is used to store data that will be transferred to theremote destination 1786 in the event that a recovery becomes necessary.In an embodiment herein, all recoveries are performed at the remotedestination 1786. In other embodiments, it is possible for the sourcegroup 1782 to know that it is connected to the minimal storage localdestination 1788.

The source group 1782 may operate like the source group 1202 of thediagram 1200 of FIG. 26. Thus, the source group 1782 providessynchronous writes to the minimal storage local destination 1788 andprovides ordered writes to the remote destination 1786. The minimalstorage local destination 1788, instead of being a mirror for the sourcegroup 1782, stores only the most recent synchronous writes from thesource group 1782 so that, in the event a recovery becomes necessary,the minimal storage local destination 1788 may transfer the most recentwrites to the remote destination 1786. As data is transferred from thesource group 1782 to the remote destination 1786, corresponding data isremoved from the minimal storage local destination 1788 so that theminimal storage local destination 1788 retains, for example, only themost recent two cycles of ordered writes data because any cycles olderthan the two most recent cycles are already stored on the remote storagedevice 1786.

Referring to FIG. 43, a data structure 1800 illustrates storage of dataat the minimal storage local destination. 1788. In an embodiment herein,the data structure 1800 is a linked list having a plurality of elements1802-1805. A list top pointer points to the first element 1802. Thefirst element points to the second element 1803, the second elementpoints to the third element 1804, et cetera. The linked list 1800 alsohas a last element 1805 that points to a null pointer as a next elementto indicate the end of the list. Of course, other appropriate datastructures may be used.

In one embodiment herein, the list 1800 is sorted according to the trackand head location on a standard logical device so that, for example, theelement 1802 would be the first element in a sequence of elements on thestandard logical device, the second element 1803 would follow the firstelement 1802, et cetera. In another embodiment, the list 1800 would besorted according to the order that the data writes are provided from thesource group 1782 to the minimal storage local destination 1788. Bothembodiments are described in more detail below.

Referring to FIG. 44, a diagram shows in more detail a data element 1820of the linked list 1800. The data element 1820 includes a TRACK field1822 that indicates a track number used to store the data on thecorresponding standard logical device. Other data storage locations maybe used in lieu of track number, such as sector number, offset frombeginning of the standard logical device, or any other appropriateindicator.

The data element 1820 also includes a cycle number 1824 (CYCNO) whichindicates the cycles used for transferring data from the source group1782 to the remote destination 1786, as described elsewhere herein. Whendata is transferred from the source group 1782 to the minimal storagelocal destination 1788, the minimal storage local destination 1788 keepstrack of cycle changes corresponding to transfers between the sourcegroup 1782 and the remote destination 1786 and assigns an appropriatecycle number to the data element 1820, as described in more detailelsewhere herein.

The data element 1820 also includes a data field 1826 (DATA) thatcorresponds to the data that has been transferred from the source group1782 to the minimal storage local destination 1788. The-data element1820 also includes a next field 1828 (NEXT) that is used to point to thenext data element in the linked list 1800.

Referring to FIG. 45, a flow chart 1850 illustrates steps performed bythe minimal storage local destination 1788 in connection with receivingdata provided by the source group 1782 to the minimal storage localdestination 1788. As discussed elsewhere herein, the minimal storagelocal destination 1788 may appear to the source group 1782 to be amirror of the source group 1782. However, as described herein, theminimal storage local destination 1788 is not necessarily a mirror ofthe source group 1782 but, instead, contains the most recent data fromthe source group 1782. In the event a recovery is necessary, the minimalstorage local destination 1788 transfers the data stored thereon to theremote destination 1786 to facilitate recovery.

Processing for the flow chart 1850 begins at a step 1852 where a localcycle number, CYCNO, is set to zero. The local cycle number set at thestep 1852 is used to keep track of the cycle changes at the source group1782. Note that it is not necessary that the local cycle numbercorrespond exactly to the particular cycle number used at the sourcegroup 1782. Rather, it is sufficient that the cycle number set at thestep 1852 keep track of the cycle switches by the source group 1782.

Following the step 1852 is a step 1854 where data is received from thesource group 1782. Following the step 1854 is a test step 1856 whichdetermines if the received data corresponds to a cycle switch providedby the source group 1782. The test step 1856 is like the test step 1262of FIG. 28A, discussed above.

If it is determined at the test step 1856 that the received data doesnot correspond to a cycle switch, then control transfers from the teststep 1856 to a step 1858 where the received data is added to the storageof the minimal storage local destination 1788. Adding the data to thestorage of the minimal storage local destination 1788 at the step 1858is discussed in more detail elsewhere herein. Following step 1858 is astep 1862 where the received data is acknowledged to the source group1782 by the minimal storage local destination 1788. Acknowledging thedata at the step 1862 may be used to make the minimal storage localdestination 1788 appear to the source group 1782 as a full synchronousmirror (i.e., the acknowledge provided at the step 1862 is the sameacknowledge provided by a full synchronous mirror). Following the step1862, control transfers back to the step 1854 to receive more data.

If it is determined at the test step 1856 that the data received at thestep 1854 corresponds to a cycle switch, then control transfers from thestep 1856 to a step 1864 where the internal cycle number, CYCNO, that isused with the minimal storage local destination 1788, is incremented. Inan embodiment herein, there is a maximum cycle number, MAXCYCNO, so thatthe cycle number is incremented at the step 1864 by adding one to CYCNOand then taking the result thereof modulo MAXCYCNO.

Following the step 1864 is a step 1866 where data corresponding toprevious cycle numbers is discarded. As discussed elsewhere herein, theminimal storage local destination 1788 stores the data corresponding tothe two most recent cycle numbers. Any data older than two cycle numbersshould have already been successfully transferred from the source group172 to the remote destination 1786. Accordingly, since recovery will beprovided at the remote destination 1786, then the minimal storage localdestination 1788 need only store data corresponding to the current cyclenumber and data corresponding to the previous cycle number. In otherembodiments, it may be possible to retain different data (e.g., thethree or four most recent cycles). Discarding data at the step 1866 isdiscussed in more detail elsewhere herein. Following the step 1866,control transfers back to the step 1854, discussed above, to receiveadditional data.

Referring to FIG. 46, a flowchart 1900 illustrates in more detail stepsperformed by the minimal storage local destination 1788 in connectionwith the step 1858 where received data is added to the data stored atthe minimal storage local destination 1788. Processing begins at a firststep 1902 where a temporary variable, P1, is set equal to list top, thepointer that points to the linked list 1800 of the data stored at theminimal storage local destination 1788.

Following the step 1902 is a test step 1904 where it is determined ifthe temporary variable, P1, equals null. If so, then there is no datastored in the linked list 1800 and the data being stored by the steps ofthe flowchart 1900 corresponds to the first data being stored at theminimal storage local destination 1788. If it is determined at the teststep 1904 that P1 equals null, then control transfers from the test step1904 to a step 1906 where memory is obtained from a heap (or somethingappropriate similar) using a malloc command (or something appropriatelysimilar) for a temporary variable, T, used to temporarily store data.Following the step 1906 is a step 1908 where a track number field of thedata record T (T.TRACK) is set equal to the track of the standardlogical device on which the data is stored at the source group 1782.Following the step 1908 is a step 1912 where T.CYCNO is set equal to thecurrent local cycle number at the minimal storage local destination1778.

Following the step 1912 is a step 1914 where the received data is copiedto the data field of T (i.e., T.DATA). Following the step 1914 is a step1916 where the next field (T.NEXT) is set equal to null. Following thestep 1916 is a step 1918 where the list top is set equal to T. Followingthe step 1918, processing is complete.

If it is determined at the test step 1904 that the variable P1 does notequal null, then control transfers from the test step 1904 to a teststep 1922 where it is determined if the track number corresponding tothe data that has been received equals the track number of the dataelement pointed to by P1. If so, then control transfers from the teststep 1922 to a step 1924 where the received data is written to the datafield at P1.DATA (perhaps overwriting existing data). Following the step1924 is a step 1926 where the cycle number field of the element pointedto by P1 (P1.CYCNO) is overwritten with the current local cycle number(CYCNO) stored at the minimal storage local destination 1778. Followingthe step 1926, processing is complete.

If it is determined at the test step 1922 that the track number of theelement pointed to by P1 does not equal the track number correspondingto the received data, then control transfers from the test step 1922 toa step 1928 where another temporary variable, P2, is set equal toP1.NEXT. Following the step 1928 is a test step 1932 where it isdetermined if P2 equals null (i.e., P1 points to an element at the endof the linked list 1800). If not, then control transfers from the teststep 1932 to a test step 1934 where it is determined if the track numbercorresponding to the element pointed to by P2 is less than the tracknumber corresponding to the data that has been received. The test at thestep 1934 determines if the received data is to be a new element that isinterposed between P1 and P2. If it is determined at the test step 1934that the track number of the element pointed to by P2 is not less than atrack number corresponding to the received data, then control transfersfrom the test step 1934 to a step 1936 where the temporary variable P1is set equal to P2 in order to prepare for the next iteration. Followingthe step 1936, control transfers back to the test at 1922, discussedabove.

If it is determined at the test step 1932 that P2 points to null, or ifit is determined at the test step 1934 that the track number of the dataelement pointed to by P2 is less than the track number corresponding tothe received data, then control transfers to the step 1938 where a newelement (for the list 1800) is allocated using a temporary variable, T.Following the step 1938 is a step 1942 where the track number of T(T.TRACK) is set equal to the track number corresponding to the receiveddata. Following the step 1942 is a step 1944 where the cycle numberfield of T (T.CYCNO) is set equal to the local cycle number at theminimal storage local destination 1788.

Following the step 1944 is a step 1946 where the received data iswritten to the data field of the temporary storage area (T.DATA).Following the step 1946 is a step 1948 where the next field of T(T.NEXT) is set equal to P2. Following the step 1948 is a step 1952where the next field of the element pointed to by P1 (P1.NEXT) is set topoint to T T. Following the step 1952, processing is complete.

The flowchart 1900 of FIG. 46 illustrates an embodiment where the linkedlist 1800 at the minimal storage local destination 1788 is sortedaccording to the track number corresponding to the received data. It isalso possible to sort the received data according to the order ofreceipt of the data at the minimal storage local destination 1788.

Referring to FIG. 47, a flowchart 2000 illustrates steps performed bythe minimal storage local destination 1788 at the step 1858 where datais added. In the alternative embodiment illustrated by the flowchart2000, the data in the linked list 1800 is stored according to the orderof receipt of the data at the minimal storage local destination 1788.

Processing begins at first step 2002 where a new data element, T, isallocated. Following the step 2002 is a step 2004 where the track numberfield of the allocated element (T.TRACK) is set equal to the tracknumber corresponding to the received data. Following the step 2004 is astep 2006 where the cycle number field of the allocated element(T.CYCNO) is set equal to the local cycle number provided at the minimalstorage local destination 1788 (CYCNO).

Following the step 2006 is a step 2008 where the received data iswritten to the data field of the allocated element (T.DATA). Followingthe step 2008 is a step 2012 where the next field of the allocatedelement (T.NEXT) is set equal to null. In an embodiment herein, the mostrecently received data is added at the end of the linked list 1800.Following the step 2012 is a test step 2014 which determines if the listtop (the pointer to the head of the linked list 1800) equals null. Notethat when the first data is written to the linked list 1800, or if alldata has been removed from the list 1800, the list top may equal null.If it is determined at the test step 2014 that the list top equals null,then control transfers from the test step 2014 to a step 2016 where thelist top is set to point to the newly-allocated data element, T.Following the step 2016 is a step 2018 where a list end element, LE,which keeps track of the end of the list 1800, is also set to point tothe newly allocated data element, T. Following the step 2018, processingis complete.

If it is determined at the test step 2014 that the list top does notequal null, then control transfers from the test step 2014 to a step2022 where the next field of the data element pointed to by the list endpointer (LE.NEXT) is set to point to the newly allocated data element,T. Following the step 2022 is a step 2024 where the list end pointer,LE, is set equal to the newly allocated data element, T. Following thestep 2024, processing is complete.

Referring to FIG. 48, a flow chart 2050 illustrate steps performed bythe minimal storage local destination 1788 in connection with thediscard step 1866 of the flow chart 1850 of FIG. 45. In an embodimentherein, the same processing may be used for discarding irrespective ofwhether the data is stored on the linked list 1800 according to thetrack number (embodiment of FIG. 46) or according to the order ofreceipt (embodiment of FIG. 47). Note that a technique used fordiscarding the data may be independent of a technique used to add data.

Processing for the flow chart 2050 begins at a first step 2052 where atemporary variable, P1, is set equal to the list top variable thatpoints to the first element of the linked list 1800. Following the step2052 is a test step 2054 where it is determined if P1 equals null. Ifso, then processing is complete. Otherwise, control transfers from thetest step 2054 to a step 2056 where another temporary variable, P2, isset equal to the next field of the data element pointed to by P1 (i.e.,is set equal to P1.NEXT). Following the step 2056 is a test step 2058where it is determined if P2 points to null. If so, then processing iscomplete. Otherwise, control transfers from the test step 2058 to a teststep 2062 which determines if the cycle number of field of the dataelement pointed to by P2 (P2.CYCNO) equals the cycle number for databeing discarded (e.g., (CYCNO-2) modulo MAXCYCNO). If so, then controltransfers from the test step 2062 to a step 2064 where the next field ofthe element pointed to by P1 (P1.NEXT) is set equal to the next field ofthe element pointed to by P2 (P2.NEXT), thus removing the elementpointed to by P2 from the linked list 1800. Following the step 2064 is astep 2066 where the element pointed to by P2 is freed (i.e., returned toa heap). Following the step 2066 is a step 2068 where P1 is set equal tothe next field pointed to by P1 (i.e., P1=P1.NEXT). Following the step2068, control transfers back to the step 2056 for the next iteration.Note that if it is determined at the test step 2062 that the cyclenumber field of the element pointed to by P1 does not equal a cyclenumber of data being discarded, then control transfers from the teststep 2062 to the step 2068, discussed above.

Note that for the embodiments discussed in connection with FIGS. 42-48,it is not necessary to maintain the SDDF maps since recovery is alwaysperformed at the remote destination 1786 and all of the stored data istransferred from the minimal storage local destination 1788 to theremote destination 1786 recovery. Thus, it is not necessary to keeptrack of specific data that needs to be transferred. In addition, it isnot necessary to have a token or any other mechanism for keeping trackof which device will be used for recovery since the remote destination1786 is always used for recovery in connection with the embodiments ofFIGS. 42-48. Furthermore, it is not necessary to perform the processingof FIGS. 29 and 30 at the remote destination since there are no tokensor SDDF maps.

Referring to FIG. 49, a flow chart 2100 illustrates steps performed inconnection with recovering at the remote destination 1786 when, forexample, the source group 1782 ceases to be operational. Processingbegins at a first step 2102 where the links between the source group1782, the remote destination 1786 and the minimal storage localdestination 1788 are dropped. Dropping the links at the step 2102 islike dropping the links at the step 1362 of the flow chart 1360 of FIG.31. Following the step 2102 is a step 2104 where ordered writes areterminated. Terminating ordered writes at the step 2104 is liketerminating ordered writes at the step 1366 of the flow chart 1360 ofFIG. 31.

Following the step 2104 is a step 2106 where all data is transferredfrom the minimal storage local destination 1788 to the remotedestination 1786. The data may be transferred according to the order ofdata elements on the linked list 1800. Thus, for example, if the linkedlist 1800 is stored according to the time sequence of writes to theminimal storage local destination 1788 (embodiment shown in FIG. 47),then the data will be transferred from the minimal storage localdestination 1788 to the remote destination 1786 according to the timesequence of writes. Alternatively, if data is stored in the linked list1800 in order of storage locations on the corresponding standard logicaldevice (embodiment if FIG. 46), then data may be transferred in thatorder from the minimal storage local destination 1788 to the remotedestination 1786. Following the step 2106, processing is complete andoperation may resume using the remote storage device 1786, which has themost up-to-date data.

Referring to FIG. 50, a diagram 2120 illustrates sharing of resources.The diagram 2120 includes a source group 2122 and a remote destination2126 which are like the source group 1782 and the remote destination1786 of FIG. 42. The diagram 2120 also shows a minimal storage localdestination 2128 which is like the minimal storage local destination1788 of FIG. 42, except that the minimal storage local destination 2128may be shared by unrelated storage systems. Note that the minimalstorage local destination 2128 may be any type of storage deviceincluding a Symmetric device provided by EMC Corporation, a personalcomputer, or any other device capable of storing data and providing thefunctionality described herein.

The diagram also shows a second source group 2126′ and a second remotedestination 2122′. However, the source group 2122′ transfers data to theminimal storage local destination 2128 that is also used by the sourcegroup 2122. Should recovery become necessary for either or both of thesource groups 2122, 2122′, recovery data will be provided by the minimalstorage local destination 2128 to one or both of the remote destinations2126, 2126′. In an embodiment herein, the minimal storage localdestination 2128 stores data from the source group 2122 in a separatelocation from data stored for the source group 2122′.

The diagram 2120 also shows a third source group 2122″ and a thirdremote destination 2126″. The third source group 2122″ also transfersdata to the minimal storage local destination 2128. In addition, shouldrecovery become necessary, the minimal storage local destination 2128may transfer recovery data to the remote destination 2126″.

The number of source groups and remote destinations coupled to a minimalstorage local destination may be bounded by the storage and processingcapability of the minimal storage local destination. Note also that asingle storage device may be used as the remote destination for multiplesource groups.

An advantage of the system described herein is the ability to switchoperations from the source group to either the local destination or theremote destination. This switching may be performed either as part of aplanned operation (e.g., for maintenance purposes) or as an unplannedoperation when the source group fails. It is also possible for one ormore of the links to fail, which may or may not require switchingoperations.

Referring to FIG. 51, a system 3000 includes a first data center 3010(DC 1) having a first host 3012 coupled to a first storage device 3014.The diagram 3000 also shows a second data center 3020 (DC2) having asecond host 3022 coupled to a second storage device 3024 and a thirddata center 3030 (DC3) having a third host 3032 coupled to a thirdsource device 3034. The data centers 3010, 3020, 3030, may begeographically dispersed or in the same location. The first storagedevice 3014 may be coupled to the second storage device 3024 via a linkL1 and may be coupled to the third storage device 3034 via a link L2.The second storage device 3024 may also be coupled to the third storagedevice 3034 via a link L3.

In an embodiment herein, the first data center 3010 may correspond (atleast initially) to the source group 1202 of FIG. 26 and/or the sourcegroup 1782 of FIG. 42. Thus, the data center 3010 may contain aplurality of hosts and a plurality of storage devices, all or some ofwhich may work together as a single consistency group or not. Similarly,the second data center 3020 may (initially) correspond to the localdestination 1204 of FIG. 26. In some cases where significant storagecapability is not needed at the data center 3020, the data center 3020may also (initially) correspond to the minimal storage local destination1788 of FIG. 42. The data center 3030 may (initially) correspond to theremote destination 1206 of FIG. 26 and/or the remote destination 1786 ofFIG. 42.

Thus, some or all of the data centers 3010, 3020, 3030 may each containa plurality of hosts and/or a plurality of storage devices, all or someof which may work together as a single consistency group. Accordingly,each of the hosts 3012, 3022, 3032 may represent a plurality of hostswhile each of the storage devices 3014, 3024, 3034 may represent aplurality of storage devices. Note also that a storage device mayinclude one or more logical volumes so that, for the discussion herein,references to a storage device may be understood, in appropriatecontext, to include one or more storage devices and/or one or morelogical volumes provided in connection with a storage device.

In an initial configuration, the link L1 may be used for synchronoustransfer of data from the first storage device 3014 to the secondstorage device 3024 while the link L2 may be used for asynchronoustransfer of data from the first storage device 3014 to the third storagedevice 3034. In some embodiments, the link L3 between the second storagedevice 3024 and the third storage device 3034 may not be used initially,but may be activated when necessary (e.g., in connection with a failoverand/or switchover).

For the discussion that follows, the term “primary group” may be used torefer to the combination of hosts and storage devices (and/or volumes atthe storage devices) at a location (i.e., one of the data centers 3010,3020, 3030) that is used for the primary work load being done by thecomputing system. The term “synchronous backup group” may refer to thecombination of hosts and storage devices (and/or volumes at the storagedevices) at a single one of the data centers 3010, 3020, 3030 used tomaintain a synchronous mirror of the data generated and stored at theprimary group site. Similarly, the term “asynchronous backup group” mayrefer to the combination of hosts and storage devices at a single one ofthe data centers 3010, 3020, 3030 used to maintain an asynchronousmirror of the data generated at the primary group site. When all threeof the data centers 3010, 3020, 3030 are operational, the primary groupmay establish concurrent RDF relationships with both the synchronousbackup group and the asynchronous backup group as described elsewhereherein.

For the discussion herein, it may be assumed that the primary group isinitially provided at the data center 3010, the synchronous backup groupat the data center 3020, and the asynchronous backup group at the datacenter 3030. Note that it is possible for the asynchronous backup groupto be located physically farther from the data source (e.g., the primarygroup) than the synchronous backup group. Note also that the hosts 3022,3032 at the synchronous backup group and the asynchronous backup groupmay not necessarily be initially operational and may only be used whenand if either of the backup groups becomes the primary group due to aswitchover or failover.

Referring to FIG. 52, a flowchart 3100 illustrates steps performed inconnection with a switchover that exchanges the primary group with thesynchronous backup group. The processing illustrated by the flowchart3100 is an example where the primary group is initially located at thedata center 3010 and the synchronous backup group is initially locatedthe data center 3020 so that performing the steps illustrated by theflowchart 3100 causes the primary group to be located at the data center3020 and the synchronous backup group to be located at the data center3010. Of course, other initial configurations are possible so that, forexample, the steps of the flowchart 3100 may be adapted to swap theprimary group and the synchronous backup group when the primary group isinitially located at the data center 3020 and the synchronous backupgroup is initially located at the data center 3010.

Processing begins at a first step 3102 where the work being performed atthe primary group by the host 3012 (or, as discussed elsewhere herein, agroup of hosts) is stopped. Following the step 3102 is a step 3104 wherewrites being performed to the storage device 3014 (affected volume(s) ofthe storage device 3014 or, as discussed elsewhere herein, a group ofstorage devices) are stopped by, for example, making the volume(s) notready to the host 3012 and/or to any other hosts and/or to any otherdevices that might perform writes thereto.

Following the step 3104 is a step 3106 where the ordered writesgenerated by the storage device 3014 in connection with transferringdata to the storage device 3034 are drained. Draining the ordered writesat the step 3106 involves allowing cycle switching to occur (asdiscussed elsewhere herein) for a number of cycles (e.g., two or more)even though no new data is being written to the storage device 3014.Eventually, all of the data that was previously written at the storagedevice 3014 will have been transferred from the storage device 3014 tothe storage device 3034 at the data center 3030.

Following the step 3106 is a step 3108 where multisession control (ifany) and consistency group processing (if any) are stopped at the host3012. Stopping multisession control (MSC) and/or consistency groupprocessing at the host 3012 involves halting the processing thatfacilitates, for example, synchronization of cycle switching amongmultiple storage devices, as described in elsewhere herein. MSC is usedto facilitate the initial configuration of FIG. 51 where the primarygroup is provided with both a synchronous backup group and anasynchronous backup group. Note that once the ordered writes have beendrained at the step 3106, there is no longer a need to provide cycleswitching.

Following the step 3108 is a step 3112 where a local copy is made of thedata (volumes) on the storage device 3014. The local copy created at thestep 3112 may be used to preserve the state of the data at the storagedevice 3014 at the time of the swap of the primary group and thesynchronous backup group. The local copy may be useful, for example, ininstances where there is an error in connection with performing theswap. There may be other uses for the local copy. The local copy may becreated using any appropriate technology, including using conventionalsnap or other copy-related technology to make a copy or by maintaining amirror of the storage device 3014 (or volumes thereof) prior toperforming the processing at the step 3112 and then splitting the mirror(halting copying) at the step 3112.

Following the step 3112 is a step 3113 where a pairing list is createdfor existing R1/R2 RDF pairs. This is useful because, for example,significant initialization can be avoided by choosing new R1/R2 volumesfrom among R2 volumes having a common R1 volume. This may be illustratedby the following example:

Suppose that prior to the swap, there is an R1/R2 pair, Ra (at thestorage device 3014) and Rb (at the storage device 3024) that are usedfor the synchronous data transfer from the storage device 3014 to thestorage device 3024. Also assume that there is another R1/R2 pair, Raand Rc (at the storage device 3034) that is used for the ordered writestransfer (asynchronous data transfer) from the storage device 3014 tothe storage device 3034. In such a case, the R1/R2 pair created at thestep 3113 would include Rb (R1 volume) at the storage device 3024 and Rc(R2 volume) at the storage device 3034. Since both Rb and Rc are theformer R2 volumes for the R1 volume at the storage device 3014, then thedata on Rb and Rc should be identical or, in some cases discussedelsewhere herein, nearly identical. Note that, in some instances, theremay be multiple volumes and/or storage devices (consistency groups) thatare paired up in this way so that the step 3125 (and other similar stepsthroughout this discussion) represents creating as many R1/R2 pairingsas appropriate.

The processing performed at the step 3113 is described in more detailelsewhere herein. Note that the processing performed at the step 3113may be performed at any time, including prior to initiating the swap, inwhich case data describing the R1/R2 RDF pairings may be provided toeach of the data centers 3010, 3020, 3030 and used later in connectionwith any (unplanned) failover that occurs. Note also that, in instanceswhere the advantages of differential resynchronization are desired (ornecessary), then it is necessary to perform the processing at the step3113.

Following the step 3113 is a step 3116 where RDF data transferoperations from the storage device 3014 to both the storage device 3024and to the storage device 3034 are suspended. Following the step 3116 isa step 3118 where copies of the data at the storage devices 3024, 3034are made locally at the data center 3020 and/or the data center 3030,respectively. The local copies may be provided in a manner similar toproviding the local copy of the storage device 3014 discussed above inconnection with the step 3112. Note that, in some instances, the localcopies made at the steps 3112, 3118 are optional and, although useful,may not be not necessary. However, in other instances, it may bepossible to use the local copies as part of the operation(s) beingperformed.

Following the step 3118 is a step 3122 where the RDF relationshipsbetween the R1 volume(s) at the storage device 3014 and the R2 volume(s)at the storage device 3034 are deleted, using, for example, the dynamicRDF mechanism. Following the step 3122 is a step 3124 where the R1 andR2 for the RDF connection between the storage device 3014 and thestorage device 3024 are swapped using, for example, the dynamic RDFmechanism discussed elsewhere herein.

Following the step 3124 is a step 3125 where an RDF pair is created totransfer data from the storage device 3024 to the storage device 3034via the link L3 using ordered writes as discussed elsewhere herein. TheRDF pair may be created using, for example, the dynamic RDF mechanismdisclosed in U.S. Pat. No. 6,862,632, which is incorporated by referenceherein. Note, however, that the volumes chosen for the RDF pair at thestep 3125 correspond to the R2 volumes from the previous RDF pairingsbetween the storage device 3014 and the storage devices 3024, 3034 inorder to minimize the amount of initialization that needs to beperformed. The R2 volumes may be chosen using information obtained atthe step 3113, described above. Following the step 3126 where RDFtransfers between the storage device 3024 and the storage device 3014are resumed. Note that after the R1 and R2 devices between the storagedevice 3014 and the storage device 3024 are swapped, data saved locallyat the storage device 3024 may be synchronously transferred to thestorage device 3014.

Following the step 3126 is a step 3128 where a consistency group isstarted at the data center 3020. As discussed elsewhere herein, aconsistency group may be used in cases where the data center 3020contains multiple storage devices that store coordinated ordered datafor a single application and/or group of related applications. Followingthe step 3128 is a test step 3132 where it is determined if the data atthe storage device 3024 is synchronized with (is identical to) data atthe storage device 3034 (and thus also at the storage device 3014). Notethat in instances where the drain operates properly at the step 3106 andthe data had been synchronously transferred from the storage device 3014to the storage device 3024 prior to initiating the swap, then the dataat the storage device 3024 should already be synchronized with data atthe storage device 3034. However, as discussed elsewhere herein, theremay be instances where the data is not already synchronized.

If it is determined at the test step 3132 that the data at the storagedevice 3024 is not synchronized with data at the storage device 3034,then control transfers from the step 3132 to a step 3134 where the datasynchronization is performed. Synchronizing the data at the step 3134may use any appropriate mechanism, including mechanisms discussedelsewhere herein such as the SDDF mechanism, background copy, etc. Notethat the synchronization may be performed at the step 3134 by simplyindicating (e.g., in a table) which tracks (or other portions of data)are invalid (less up-to-date) and then starting a background copyprocess to transfer the more recent data corresponding to those tracks.Thus, it is possible that the processing performed at the step 3134simply starts the synchronization of the storage devices 3024, 3034without necessarily completing the synchronization.

Note that, generally, initiation of a new RDF relationship causes a fullsynchronization where an entire R1 volume to be copied to acorresponding R2 volume to initially synchronize the volumes. However,when the R1/R2 volumes are chosen based on the information obtained atthe step 3113, then a frill synchronization may not be necessary.Instead, a differential synchronization may be performed where, forexample, as described elsewhere herein, SDDF maps may be used todetermine what is “owed” from one volume to another to synchronize thevolumes. Following whatever synchronization is performed using SDDF maps(or another appropriate mechanism), it may be useful to wait for twoordered write cycles to occur (e.g., the drain operation discussedelsewhere herein) before determining that the R1/R2 pair issynchronized.

Following the step 3134, or following the step 3132 if the data isalready synchronized, is a step 3136 where the RDF link (created at thestep 3125) between the storage device 3024 and storage device 3034 isactivated. Following step 3136 is a step 3137 where the system waits forthe storage devices to be consistent (synchronized). As discussed above,it is possible for the step 3134 to initiate synchronization withoutnecessarily waiting for the system to complete the synchronization atthe step 3134. Thus, the processing at the step 3137 waits for thesynchronization to be complete. In an embodiment herein, synchronizationis deemed to be complete after all invalid track (data portion)indicators have been cleared and, following that, two ordered writecycle switches have occurred. Following the step 3137 is a step 3138where multisession control and/or consistency group processing are begunat the host 3022 at the data center 3020.

Following the step 3138 is a step 3142 where work is begun at the datacenter 3020. The work begun at the data center 3020 may be identical toor related to (a continuation of) the work that was previously performedat the data center 3010. Following the step 3142, processing iscomplete. Note that the new configuration of the system is a mirror ofthe prior configuration with the primary group now being provided at thedata center 3020 and the synchronous backup group being provided thedata center 3010.

Referring to FIG. 53, a pairing list table 3160 includes a plurality ofentries 3162-3164 corresponding to RDF R1/R2 pairs that are used in thesystem 3000. The table 3160 may be constructed at the step 3113 in amanner discussed in more detail below. The table 3160 may be used inconnection with determining which volumes to use in connection with thestep 3125 of the flowchart 3100 of FIG. 52 where an RDF pair is createdbetween the data center 3020 and the data center 3030. Each of theentries 3162-3164 includes an identifier (e.g., unique device numbers)for an R1 volume, an identifier for a corresponding R2 volume at thesynchronous backup group, and an identifier for a corresponding R2volume at the asynchronous backup group.

Referring to FIG. 54, a flowchart 3200 illustrates steps performed inconnection with using the table 3160 of existing R1/R2 RDF relationshipsto construct the table 3160. The processing illustrated by the flowchart 3200 uses as input two lists: a list, L1, of R1/R2 relationshipsbetween the primary group and the synchronous backup group and a list,L2, of R1/R2 relationships between the primary group and theasynchronous backup group.

Processing begins at a first step 3202 where a first pointer, P1, ismade to point to the first entry of the list L1. Following the firststep 3202 is a second step 3204 where a second pointer, P2, is made topoint to the first entry in the list L2. Following step 3204 is a teststep 3206 which determines if P2 points past the end of the list L2. Ifnot, then control transfers from the test step 3206 to a test step 3208where it is determined if the R1 value of the L1 entry to by P1 equalsthe R1 value of the L2 entry pointed to by P2 (i.e., if both R1 volumesare the same). If so, then control transfers from the test step 3208 toa step 3212 where the common R1 volume, the R2 volume at the L1 entrypointed to by P1, and the R2 volume at the L2 entry pointed to by P2 areall recorded as a new entry in the table 3160. Following the step 3212,or following the step 3208 if the R1 volumes are not the same, is a step3214 where P2 is made to point to the next entry in the L2 list.Following the step 3214, control transfers back to the test step 3206,discussed above.

If it is determined at the test step 3206 that P2 points past the end ofthe L2 list, then control transfers from the test step 3206 to a step3216 where P1 is made to point to the next entry in the L1 list.Following the step 3216 is a test step 3218 where it is determined if P1points past the end of the L1 list. If so, then processing is complete.Otherwise, control transfers from the test step 3218 back to the step3204, discussed above.

Referring to FIG. 55, a flowchart 3250 illustrates steps performed inconnection with a switchover that exchanges the primary group with thesynchronous backup group. The processing illustrated by the flowchart3250 is like the processing illustrated by the flowchart 3100 in that itassumes that the primary group is initially located at the data center3010 and the synchronous backup group is initially located the datacenter 3020. However, as with the processing illustrated by the flowchart 3100, other initial configurations are possible.

Performing the steps illustrated by the flowchart 3250 causes theprimary group to be located at the data center 3020 and the synchronousbackup group to be located at the data center 3010. However, in the caseof the processing illustrated by the flow chart 3250, the work may bestarted by the host 3022 at the data center 3020 prior to beginning theordered writes transfer from the storage device 3024 to the storagedevice 3034. An advantage of the processing illustrated by the flowchart 3250 is that the work may be started sooner. A disadvantage isthat it may take longer to get to steady state and the processing may bea little more complex.

Processing begins at a first step 3252 where the work being performed atthe primary group by the host 3012 is stopped. Following the step 3252is a step 3254 where writes being performed to the storage device 3014are stopped. Following the step 3254 is a step 3256 where the orderedwrites generated by the storage device 3014 in connection withtransferring data to the storage device 3034 are drained. Following thestep 3256 is a step 3258 where MSC (if any) and consistency groupprocessing (if any) are stopped at the host 3012. Following the step3258 is a step 3259 where a local copy is made of the data at thestorage device 3014. Following the step 3259 is a step 3261 where RDFpairing lists are constructed in a manner similar to that discussedabove in connection with the step 3113 of the flow chart 3100 of FIG.52.

Following the step 3161 is a step 3264 where RDF transfers from thestorage device 3014 to both the storage device 3024 and to the storagedevice 3034 are suspended. Following the step 3264 is a step 3266 wherecopies of the data at the storage devices 3024, 3034 are made locally atthe data center 3020 and/or the data center 3030, respectively.Following the step 3266 is a step 3268 where the RDF relationshipsbetween the R1 volume(s) at the storage device 3014 and the R2 volume(s)at the storage device 3034 are deleted, using, for example, the dynamicRDF mechanism. Following the step 3268 is a step 3272 where the R1 andR2 volumes for the RDF connection between the storage device 3014 andthe storage device 3024 are swapped using, for example, the dynamic RDFmechanism discussed elsewhere herein. Following the step 3272 is a step3273 where an RDF pair is created to transfer data from the storagedevice 3024 to the storage device 3034 via the link L3 using orderedwrites as discussed elsewhere herein. As with the step 3125 of theflowchart 3100, discussed above, the volumes chosen for the RDF pair atthe step 3273 correspond to the R2 volumes from the previous RDFpairings between the storage device 3014 and the storage devices 3024,3034 in order to minimize the amount of initialization that needs to beperformed.

Following the step 3273 is a step 3274 where RDF transfers between thestorage device 3024 and the storage device 3014 are resumed. Note thatafter the. R1 and R2 volumes between the storage device 3014 and thestorage device 3024 are swapped, data saved locally at the storagedevice 3024 is synchronously transferred to the storage device 3014.Following the step 3274 is a step 3276 where a consistency group isstarted at the data center 3020. As discussed elsewhere herein, aconsistency group may be used in cases where the data center 3020contains multiple storage devices that store coordinated ordered datafor a single application and/or a group of related applications.

Following the step 3276 is a step 3278 where an SDDF session (describedelsewhere herein) is begun at the storage device 3024 (or group ofstorage devices) at the data center 3020. The SDDF session keeps trackof data written to the storage device 3024 that is “owed” to the storagedevice 3034. Following the step 3278 is a step 3282 where work is begunat the data center 3020. The work begun at the data center 3020 may beidentical to or related to (a continuation of) the work that waspreviously performed at the data center 3010. Following the step 3282 isa step 3284 where a background copy operation is started to copy datafrom the storage device 3024 to the storage device 3034 corresponding tobits set in connection with the SDDF session started at the step 3278.As particular data is successfully copied from the storage device 3024to the storage device 3034, the corresponding bits in the SDDF sessiondata structure are cleared indicating that the particular data is nolonger owed from the storage device 3024 to the storage device 3034.

Following the step 3284 is a step 3286 where the RDF link (created atthe step 3273) between the storage device 3024 and storage device 3034is activated. Following step 3286 is a step 3288 where processing waitsfor any SDDF bits set in connection with the SDDF session to be cleared,thus indicating that the background copying is completed. Note that,after the RDF link between the storage device 3024 and the storagedevice 3034 is activated at the step 3286, no new SDDF bits will be setsince data written to the storage device will be transferred to thestorage device 3034 via the RDF link. Thus, it is expected that the SDDFbits indicating data owed from the storage device 3024 to the storagedevice 3034 will be cleared (i.e., all data will be copied by thebackground copy process started at the step 3284) in a finite amount oftime.

Following the step 3288 is a step 3292 where the system confirms theconsistency of the ordered writes from the storage device 3024 to thestorage device 3034. In an embodiment herein, consistency is assumedwhen at least two cycles have passed after all SDDF bits are cleared.Following the step 3292 is a step 3294 where, if used, multisessioncontrol is begun at the data center 3020. Following the step 3294,processing is complete. Note that the new configuration of the system isa mirror of the prior configuration with the primary group now beingprovided at the data center 3020 and the synchronous backup group beingprovided the data center 3010.

Referring to FIG. 56, a flowchart 3300 illustrates steps performed inconnection with a switchover that locates the primary group at the datacenter 3030. Note that, as discussed elsewhere herein, it may be assumedthat the data center 3030 is geographically distant from both the datacenter 3010 and the data center 3020 so that a synchronous RDFconnection from the storage device 3034 to either the storage device3014 or the storage device 3024 would be impractical. Thus, the exampleprovided herein places the primary group at the data center 3030 with anasynchronous backup therefore being placed at the data center 3020. Ofcourse, other initial and final configurations are possible and, if thedata center 3030 is located close enough to an other data center toallow for synchronous backup, then it is possible to provide synchronousbackup from the data center 3030 to the other data center.

Processing begins at a first step 3302 where the work being performed atthe primary group by the host 3012 is stopped. Following the step 3302is a step 3304 where writes being performed to the storage device 3014are stopped. Following the step 3304 is a step 3306 where the orderedwrites generated by the storage device 3014 in connection withtransferring data to the storage device 3034 are drained. Following thestep 3306 is a step 3308 where MSC (if any) and consistency groupprocessing (if any) are stopped at the data center 3010. Following thestep 3308 is a step 3309 where a local copy is made of the data at thestorage device 3013. Following the step 3309 is a step 3311 where RDFpairing lists are constructed in a manner similar to that discussedabove in connection with the step 3113 of the flow chart 3100 of FIG.52.

Following the step 3311 is a step 3314 where RDF transfers from thestorage device 3014 to both the storage device 3024 and to the storagedevice 3034 are suspended. Following the step 3314 is a step 3316 wherecopies of the data at the storage devices 3024, 3034 are made locally atthe data center 3020 and/or the data center 3030, respectively.Following the step 3316 is a step 3318 where the RDF relationshipsbetween the R1 volume(s) at the storage device 3014 and the R2 volume(s)at the storage device 3034 are deleted, using, for example, the dynamicRDF mechanism. Following the step 3318 is a step 3321 where the R1 andR2 for the RDF connection between the storage device 3024 and thestorage device 3034 are swapped using, for example, the dynamic RDFmechanism discussed elsewhere herein. Following the step 3321 is a step3322 where an RDF pair is created to transfer data from the storagedevice 3034 to the storage device 3024 via the link L3 using orderedwrites as discussed elsewhere herein. As with the step 3125 of theflowchart 3100, discussed above, the volumes chosen for the RDF pair(s)at the step 3322 correspond to the R2 volumes from the previous RDFpairings between the storage device 3014 and the storage devices 3024,3034 in order to minimize the amount of initialization that needs to beperformed.

Following the step 3322 is a step 3323 where the RDF link between thestorage device 3034 and the storage device 3014 is activated. Note thatthe data accumulated at the storage device 3014 through the RDF linkfrom the storage device 3034 to the storage device 3014 facilitatesrestoring the initial configuration at a later point in time bymaintaining the storage device 3014 at a state that mirrors the storagedevice 3034. If it is not desirable to facilitate restoring the initialconfiguration, then the step 3321-3323 may be omitted.

Following the step 3323 is a test step 3324 where it is determined ifthe data at the storage device 3024 is synchronized with (is identicalto) data at the storage device 3034 (and thus also at the storage device3014). If not, then control transfers from the step 3324 to a step 3326where the data is synchronized. Synchronizing the data at the step 3326may use any appropriate mechanism, including mechanisms discussedelsewhere herein such as the SDDF mechanism. Note that thesynchronization may be performed at the step 3326 by simply indicatingwhich tracks (or other portions of data) are invalid (less up-to-date)and then starting a background copy process to transfer the more recentdata corresponding to those tracks. Thus, it is possible that theprocessing performed at the step 3326 simply starts the synchronizationof the storage devices 3024, 3034 without necessarily completing thesynchronization.

Following the step 3326, or following the step 3324 if the data isalready synchronized, is a step 3328 where the RDF link (created at thestep 3322) between the storage device 3034 and storage device 3024 isactivated. Following step 3328 is a step 3332 where the system waits forthe storage devices 3024, 3034 to be consistent (synchronized). Asdiscussed above, it is possible for the step 3326 to initiatesynchronization without necessarily waiting for the system to completethe synchronization at the step 3326. Thus, the processing at the step3332 waits for the synchronization to be complete. In an embodimentherein, synchronization is deemed to be complete after all invalid track(data portion) indicators have been cleared and, following that, twoordered write cycle switches have occurred. Following the step 3332 is astep 3334 where, if used, multisession control and/or con groupprocessing are begun at the data center 3030. Following the step 3334,is a step 3336 where work is begun at the host 3032 at the data center3030. Following the step 3336, processing is complete.

Note that the switchover scenarios described above may be adapted toprovide for just about any other switchover scenarios not specificallydiscussed above. For example, it is possible to provide for switchingthe primary group to the data center 3030 while switching theasynchronous backup group to the data center 3010. Such a switchover maybe beneficial in instances where the initial configuration is like theconfiguration 1780 of FIG. 42 in which the synchronous backup group isimplemented as a minimal storage local destination 1788.

As discussed elsewhere herein, it is possible to create and/or maintaincopies of storage devices or of portions thereof (volumes). In caseswhere a local mirror is maintained and then “split” from the volumebeing mirrored, it is possible for a host to operate on the mirroreddata without affecting the volume being mirrored. In such a case, it mayalso be possible to rejoin the mirror with the volume being mirrored bysynchronizing the volumes to eliminate the effects of the dataoperations performed on the local mirror while the volumes were split.

Referring to FIG. 57, a diagram 3350 shows the storage device 3034 andthe host 3032. Other storage devices (groups of storage devices) and/orother hosts (groups of hosts) could be used. The storage device isillustrated as including a first volume 3352 and a second, mirrored,volume 3354 that is a mirror of the first volume 3352. In an embodimentherein, the second volume 3354 may be split from the first volume 3352so that the host 3032 may perform operations on, and alter, the data ofthe second volume 3354 without affecting the first volume 3352.Subsequently, it may be possible to rejoin the volumes 3352, 3354 sothat the volume is once again a mirror of the volume 3352 where the host3032 operates on the volume 3352.

The system described herein may be useful in instances where there is anunexpected failure at a data center hosting the primary group, such asthe data center 3010, where the failure causes the data center 3010 tobe completely off-line. Note that failure includes failure of thelink(s) that communicate with the data center hosting the primary group.When a failure occurs, the system may be configured to automaticallytransfer the work load in an orderly fashion to either the data center3020 or to the data center 3030. Of course, since by definition such afailure is unplanned, it may be assumed that after the failure noprocessing may be performed at the data center 3010 that hosted theprimary group prior to the failure. Thus, for example, it is notexpected that the ordered writes may be drained from the storage device3014 to the storage device 3034, as is the case in planned switchovers,discussed above. In addition, for any dynamic RDF operations that areperformed to handle the failover operations, it is not expected to beable to receive any data or otherwise interact with the failed datacenter or volumes thereof. As discussed elsewhere herein, after theprimary group fails, it is possible to determine which of thesynchronous backup group and asynchronous backup group have the mostup-to-date data and synchronize the data between the two accordingly.

Referring to FIG. 58, a flowchart 3400 illustrates steps performed inconnection with a failover where the data center 3010 (or a significantportion thereof) fails and the primary group is restarted at the datacenter 3020 that had previously hosted the synchronous backup group.Processing begins at a first step 3402 where local copies of data aremade at the storage devices 3024, 3034, as discussed elsewhere herein.Following step 3402 is a step 3404 where a cleanup operation isperformed at the asynchronous backup group to store data that had beentransmitted to the asynchronous backup group prior to the failover butnot yet stored. Performing a cleanup operation at the asynchronousbackup group is discussed elsewhere herein. See, for example, FIGS. 23and 32 and the corresponding discussion.

Following the step 3404 is a step 3406 where a half swap operation isperformed to change the one or more R2 volumes at the storage device3024 into R1 volumes, where the volumes that are changed are R2 volumesthat were previously part of RDF pairings between the storage device3014 and the storage device 3024. A half swap is performed rather than afull swap because the data center 3010 may not be capable of receivingand/or processing commands to modify the R1 devices thereon. Thus, thehalf swap operations swaps the R2 half of the RDF pair (i.e., convertsit to an R1 device) between the storage device 3014 and the storagedevice 3024 without necessarily receiving cooperation from, or evencommunicating with, the corresponding R1 device at the data center 3010.That is, the storage device 3024 receives and acts on the half swapcommand independent of the storage device 3014. Note that the resultingR1 volumes may accumulate data that is owed to the storage device 3014should the data center 3010 and the storage device 3014 becomeoperational again. Thus, one possibility is that after the data center3010 is brought back on line after failure and the R1 volumes at thedata center 3020 are used to resynchronized the storage device 3014.Once the resynchronization is complete, it may be possible to then swapthe primary group and the synchronous backup group between the datacenter 3010 in the data center 3020 to restore the system to its initialconfiguration.

Following step 3406 is a step 3408 where a half delete operation isperformed on the R2 volume of the RDF pair(s) between the storage device3014 and the storage device 3034. The half delete is performed at thestep 3408 for reasons similar to performing the half swap at the step3406, namely, the unavailability of the data center 3010. Thus, the halfdelete operation allows the R2 volume at the storage device 3034 toeliminate the RDF relationship with the corresponding R1 volume at thestorage device 3014 without cooperation from, or even communicationwith, the storage device 3014 at the data center 3010. That is, thestorage device 3034 receives and acts on the half delete commandindependent of the storage device 3014.

Following the step 3408 is a step 3412 where the data at the storagedevice 3024 is synchronized with the data at the storage device 3034.Note that, depending on the nature of the failure, it is possible forthe storage device 3034 to have more up-to-date data than the storagedevice 3024, or vice versa. Determining which of the storage devices3024, 3034 has more recent data may be performed using any appropriatemechanism, such as the SDDF mechanism described elsewhere herein. Notealso that the synchronization may be performed at the step 3412 bysimply indicating which tracks (or other portions of data) are invalid(less up-to-date) and then starting a background copy process totransfer the more recent data corresponding to those tracks. Thus, it ispossible that the processing performed at the step 3412 simply startsthe synchronization of the storage devices 3024, 3034 withoutnecessarily completing the synchronization.

Following the step 3412 is a step 3414 where the ordered writes RDFconnection between the storage device 3024 and the storage device 3034is activated. Following step 3414 is a step 3416 where MSC processing,if used, is started at the host 3022 at the data center 3020. Followingthe step 3416 is a step 3418 where the system waits for the data to beconsistent between the storage device 3024 and the storage device 3034.As discussed above in connection with the step 3412, the synchronizationprocess may be started prior to reaching the step 3418 withoutnecessarily being completed. In an embodiment herein, the system may bedeemed consistent after all of the invalid data has been synchronizedand two additional cycle switches have occurred in connection with theordered writes. Following step 3418 is a step 3422 where the work isstarted at the host 3022 of the data center 3020. Following step 3422,processing is complete.

As discussed elsewhere herein, it is possible for the storage device3024 to maintain at least the R1 half of one or more RDF pairs betweenthe storage device 3024 and the storage device 3014. Maintaining the R1volume(s) in this way allows the system to keep track of the data thatis owed from the storage device 3024 to the storage device 3014. Thisinformation may be used to resynchronize the data center 3010 should thedata center 3010 become operational again.

Referring to FIG. 59, a flowchart 3450 illustrates steps performed inconnection with a failover where the data center 3010 (or a significantportion thereof) fails and the primary group is restarted at the datacenter 3020 that had previously hosted the synchronous backup group. Theprocessing illustrated by the flow chart 3450 provides for the work loadbeing started at the data center 3020 prior synchronizing the storagedevices 3024, 3034 whereas the processing illustrated by the flow chart3400 provides for the work load being started at the data center afterthe synchronization. An advantage of starting the work load beforesynchronization is, of course, faster start up while a disadvantage isthat it may take longer to synchronize than systems that synchronizeprior to start up.

Processing begins at a first step 3452 where local copies of data aremade at the storage devices 3024, 3034, as discussed elsewhere herein.Following step 3452 is a step 3454 where a cleanup operation isperformed at the asynchronous backup group to store data that had beentransmitted to the asynchronous backup group prior to the failover butnot yet stored. Performing a cleanup operation at the asynchronousbackup group is discussed elsewhere herein. See, for example, FIGS. 23and 32 and the corresponding discussion.

Following the step 3454 is a step 3456 where a half swap operation isperformed to change the one or more R2 volumes at the storage device3024 into R1 volumes, where the volumes that are changed are R2 volumesthat were previously part of RDF pairings between the storage device3014 and the storage device 3024. Note that the resulting R1 volume(s)may accumulate data that is owed to the storage device 3014 should thedata center 3010 and the storage device 3014 become operational again.Following step 3456 is a step 3458 where the work load is started at thehost 3022. Following the step 3458 is a step 3462 where a half deleteoperation is performed on the R2 volume of the RDF pair(s) between thestorage device 3014 and the storage device 3034. The half deleteoperation is performed at the step 3462 for reasons similar toperforming the half swap at the step 3456, namely, the unavailability ofthe data center 3010.

Following the step 3462 is a step 3464 where the ordered writes RDFconnection between the storage device 3024 and the storage device 3034is activated. Following step 3464 is a step 3466 where MSC processing,if used, is started at the host 3022 at the data center 3020. Followingthe step 3466 is a step 3468 where the system synchronizes the storagedevices 3024, 3034 and then waits for the data to be consistent betweenthe storage device 3024 and the storage device 3034. In an embodimentherein, the system may be deemed synchronized after all of the invaliddata indicators have been resolved and two additional cycle switcheshave occurred in connection with the ordered writes. Following step3468, processing is complete.

Referring to FIG. 60, a flowchart 3500 illustrates steps performed inconnection with a failover where the data center 3010 (or a significantportion thereof) fails and the primary group is restarted at the datacenter 3030 that had previously hosted the asynchronous backup group.Processing begins at a first step 3502 where local copies of data aremade at the storage devices 3024, 3034, as discussed elsewhere herein.Following step 3502 is a step 3504 where a cleanup operation isperformed at the asynchronous backup group to store data that had beentransmitted to the asynchronous backup group prior to the failover butnot yet stored. Performing a cleanup operation at the asynchronousbackup group is discussed elsewhere herein. See, for example, FIGS. 23and 32 and the corresponding discussion.

Following the step 3504 is a step 3506 where a half swap operation isperformed to change the one or more R2 volumes at the storage device3034 into R1 volumes, where the volumes that are changed are R2 volumesthat were previously part of RDF pairings between the storage device3014 and the storage device 3034. Note that the resulting R1 volumes mayaccumulate data that is owed to the storage device 3014 should the datacenter 3010 and the storage device 3014 become operational again. Thus,one possibility is that after the data center 3010 is brought back online after failure, the R1 volume(s) at the data center 3030 are used toresynchronized the storage device 3014. Once the resynchronization iscomplete, it may be possible to then swap the primary group and theasynchronous backup group between the data center 3010 in the datacenter 3030 to restore the system to its initial configuration.

Following step 3506 is a step 3508 where a half delete operation isperformed on the R2 volume of the RDF pair(s) between the storage device3014 and the storage device 3024. The half delete is performed at thestep 3508 for reasons similar to performing the half swap at the step3506, namely, the unavailability of the data center 3010. Following thestep 3508 is a step 3512 where the data at the storage device 3024 issynchronized with the data at the storage device 3034. Note that,depending on the nature of the failure, it is possible for the storagedevice 3034 to have more up-to-date data than the storage device 3024,or vice versa. Determining which of the storage devices 3024, 3034 hasmore recent data may be performed using any appropriate mechanism, suchas the SDDF mechanism described elsewhere herein. Note also that thesynchronization may be performed at the step 3512 by simply indicatingwhich tracks (or other portions of data) are invalid (less up-to-date)and then starting a background copy process to transfer the more recentdata corresponding to those tracks. Thus, it is possible that theprocessing performed at the step 3512 simply starts the synchronizationof the storage devices 3024, 3034 without necessarily completing thesynchronization.

Following the step 3512 is a step 3514 where the ordered writes RDFconnection from the storage device 3034 to the storage device 3024 isactivated. Following step 3514 is a step 3516 where MSC processing, ifused, is started at the host 3032 at the data center 3030. Following thestep 3516 is a step 3518 where the system waits for the data to beconsistent between the storage device 3024 and the storage device 3034.As discussed above in connection with the step 3512, the synchronizationprocess may be started prior to reaching the step 3518 withoutnecessarily being completed. In an embodiment herein, the system may bedeemed consistent after all of the invalid data has been synchronizedand two additional cycle switches have occurred in connection with theordered writes. Following step 3518 is a step 3522 where the work isstarted at the host 3032 of the data center 3030. Following step 3522,processing is complete.

Just as with the switchover scenarios, the failover scenarios describedabove may be adapted to provide just about any possible failoverscenario not specifically described above. Of course, if either of thebackup group sites fails, a failover situation does not necessarilyexist since work may continue at the site of the primary group.Similarly, if one of the links L1, L2 fails, a failover situation doesnot necessarily exist. However, if both of the links L1, L2 fail, thenprocessing at one or both of the backup group sites may begin failoverprocessing as discussed herein. Note that, in some instances, failure atthe site of the primary group may be indistinguishable from simultaneousor near simultaneous failure of the links L1, L2. Note also that, asdiscussed elsewhere herein, failure of the site of the synchronousbackup group and/or failure of the link L1 between the primary group andthe synchronous backup group may cause an SDDF session to be initiatedat the site of the asynchronous backup group.

Referring to FIG. 61, a flowchart 3600 illustrates steps performed inconnection with resumption of operations following failover when all ofthe sites and the links have become operational. Processing begins at afirst step 3602 where the work is stopped at either the host 3022 or thehosts 3032, depending upon which of the hosts 3022, 3032 was performingthe work (i.e., was part of the primary group) after the failover.Following the step 3602 is a step 3604 where writes are stopped to theone of the storage devices 3024, 3034 that corresponds to the one of thehosts 3022, 3032 that was performing the work (i.e., the one of thestorage devices 3024, 3034 that was part of the primary group).Following the step 3604 is a step 3606 where con group processing, ifany, is stopped at the one of the hosts 3032, 3022 performing the work.Following the step 3606 is a step 3608 where asynchronous writes aredrained from the primary group in a manner similar to that discussedelsewhere herein.

Following the step 3608 is a step 3612 where the storage device 3014 issynchronized with whichever one of the storage devices 3024, 3034 wasused for performing the work of the primary group. The synchronizationperformed at the step 3612 may use any appropriate mechanism, includingusing information from the R1 device created in connection with the halfswap operation performed when the failover occurred, to determine whichdata it needs to be transferred to the storage device 3014 forsynchronization. Following the step 3612 is a step 3614 where the RDFrelationships that were present at the initial system are reconstructed.The reconstruction of the RDF relationships at the step 3614 is done ina way so as not to interfere with any synchronization started at thestep 3612. In an embodiment herein, the synchronization at step 3612 maybe performed by using the R1 device (obtained in connection with theprevious half swap operation) to construct a table that is used toperform a background copy operation initiated at the step 3612. Once thetable has been constructed, then the reconfiguration of the RDFrelationships at the step 3614 does not interfere with thesynchronization process started at the step 3612.

Following the step 3614 is a step 3616 where the system waits for theresynchronization of the storage device 3014. Waiting for suchresynchronization is discussed in more detail elsewhere herein.Following the step 3616 is a step 3618 where con group processing andMSC processing are restarted at the data center 3010. Following the step3618 is a step 3622 where the work is restarted at the host 3012.Following step 3622, processing is complete. Note that the system is nowin its initial state that existed prior to the failover.

Referring to FIG. 62, a flowchart 3640 illustrates steps performed inconnection with recovering from intermittent failure of the link L1.Processing begins at a first step 3642 where data is resynchronized fromthe storage device 3014 to the storage device 3024. Note that, while thelink L1 was in a failed state, the R1 volume(s) at the storage device3014 accumulated invalid indicators for the R2 volume(s) at the storagedevice 3024. Thus, the resynchronization performed at the step 3642involves starting a process to copy the data corresponding to theinvalid data indicators (e.g., invalid track indicators) set for the R1volume(s) at the storage device 3014. Following the step 3642 is a step3644 where the host 3012 resumes con group processing. Following stepthe 3644 is a step 3646 where MSC processing is resumed. Following thestep 3646, processing is complete.

Referring to FIG. 63, a flowchart 3660 illustrates steps performed inconnection with recovering from failure of the link L2. Processingbegins a first step 3662 where local copies of the affected volumes ofthe storage device 3024 and the storage device 3034 are made. Followingthe step 3662 is a step 3664 where the system begins a background copyprocess from the storage device 3014 to the storage device 3034.Following the step 3664 is a step 3666 where RDF transfer between thestorage device 3014 and the storage device 3034 is reactivated.Following the step 3666 is a step 3668 where the system waits for thestorage device 3734 to become consistent with the storage device 3014.Waiting for consistency between storage devices is discussed in moredetail elsewhere herein. Following the step 3668 is a step 3672 whereMSC processing, if any, is resumed. Following the step 3672, processingis complete.

The system described herein may be implemented using the hardwaredescribed herein, variations thereof, or any other appropriate hardwarecapable of providing the functionality described herein. Thus, forexample, one or more storage devices having components as describedherein may, alone or in combination with other devices, provide anappropriate platform that executes any of the steps described herein.The system also includes computer software, in a computer readablemedium, that executes any of the steps described herein.

While the invention has been disclosed in connection with variousembodiments, modifications thereon will be readily apparent to thoseskilled in the art. Accordingly, the spirit and scope of the inventionis set forth in the following claims.

1. A method of resuming triangular asynchronous replication operationsbetween a primary group at a first data center, a synchronous backupgroup at a second data center, and an asynchronous backup group at athird data center, the method comprising: stopping work at a datastorage device temporarily hosting the primary group at one of: thesecond data center and the third data center; configuring data mirroringrelationships to provide for synchronous data mirroring from the datastorage device at the first data center to a data storage device at thesecond data center; configuring data mirroring relationships to providefor an asynchronous data mirror from the data storage device at thefirst data center to a data storage device at the third data center,wherein writes begun at the first data center after a first time andbefore a second time are associated with a first chunk of data andwrites begun after the second time are associated with a second chunk ofdata different from the first chunk of data and wherein, aftercompletion of all writes associated with the first chunk of data, datafor writes associated with the first chunk of data is transferred to thethird data center and, in response to receiving a message separate fromthe first and second chunks of data indicating the transfer of the firstchunk of data is complete from the first data center to the third datacenter, the data storage device at the third data center stores the datawrites associated with the first chunk of data; and resuming work at thefirst data center.
 2. A method, according to claim 1, furthercomprising: initiating synchronization of a data storage device at thefirst data center with the data storage device temporarily hosting theprimary group.
 3. A method, according to claim 2, further comprising:completing pending data write operations associated with an asynchronousdata mirror used by the data storage device temporarily hosting theprimary group prior to initiating synchronization.
 4. A method,according to claim 2, wherein work is resumed at the first data centerfollowing completion of the synchronization.
 5. A method, according toclaim 1, further comprising: prior to resuming work at the first datacenter, initiating multisession control at the first data center.
 6. Amethod, according to claim 1, further comprising: following intermittentfailure of a link between the first data center and the second datacenter, synchronizing the data storage device at the first data centerwith the data storage device at the second data center.
 7. A method,according to claim 1, further comprising: following intermittent failureof a link between the first data center and the third data center,providing local copies of the data storage device at the second datacenter and the data storage device at the third data center andinitiating transfer of synchronizing data from the data storage deviceat the first data center to the data storage device at the third datacenter.
 8. A method, according to claim 7, further comprising: waitingfor synchronization between the data storage device at the first datacenter with the data storage device at the third data center prior toresuming work at the first data center.
 9. Computer software, providedin a computer-readable medium, that resumes triangular asynchronousreplication operations between a primary group at a first data center, asynchronous backup group at a second data center, and an asynchronousbackup group at a third data center, the software comprising: executablecode that stops work at a data storage device temporarily hosting theprimary group at one of: the second data center and the third datacenter; executable code that configures data mirroring relationships toprovide for synchronous data mirroring from the data storage device atthe first data center to a data storage device at the second datacenter; and executable code that configures data mirroring relationshipsto provide for an asynchronous data mirror from the data storage deviceat the first data center to a data storage device at the third datacenter, wherein writes begun at the first data center after a first timeand before a second time are associated with a first chunk of data andwrites begun after the second time are associated with a second chunk ofdata different from the first chunk of data and wherein, aftercompletion of all writes associated with the first chunk of data, datafor writes associated with the first chunk of data is transferred to thethird data center and, in response to receiving a message separate fromthe first and second chunks of data indicating the transfer of the firstchunk of data is complete from the first data center to the third datacenter, the data storage device at the third data center stores the datawrites associated with the first chunk of data.
 10. Computer software,according to claim 9, further comprising: executable code that initiatessynchronization of a data storage device at the first data center withthe data storage device temporarily hosting the primary group. 11.Computer software, according to claim 10, further comprising: executablecode that completes pending data write operations associated with anasynchronous data mirror used by the data storage device temporarilyhosting the primary group prior to initiating synchronization. 12.Computer software, according to claim 10, wherein work is resumed at thefirst data center following completion of the synchronization. 13.Computer software, according to claim 9, further comprising: executablecode that initiates multisession control at the first data center priorto resuming work at the first data center.
 14. Computer software,according to claim 9, further comprising: executable code thatsynchronizes the data storage device at the first data center with thedata storage device at the second data center following intermittentfailure of a link between the first data center and the second datacenter.
 15. Computer software, according to claim 9, further comprising:executable code that provides local copies of the data storage device atthe second data center and the data storage device at the third datacenter and initiating transfer of synchronizing data from the datastorage device at the first data center to the data storage device atthe third data center following intermittent failure of a link betweenthe first data center and the third data center.
 16. Computer software,according to claim 15, further comprising: executable code that waitsfor synchronization between the data storage device at the first datacenter with the data storage device at the third data center prior toresuming work at the first data center.
 17. A triangular asynchronousreplication system, comprising: a primary group at a first data center;a synchronous backup group at a second data center coupled to the firstdata center; and an asynchronous backup group at a third data centercoupled to the first data center, wherein at least one of the datacenters includes at least one storage device having software that,following a failure, resumes triangular asynchronous replicationoperations between the primary group, the synchronous backup group, andthe asynchronous backup group, the software having executable code thatstops work at a data storage device temporarily hosting the primarygroup at one of: the second data center and the third data center,executable code that configures data mirroring relationships to providefor synchronous data mirroring from the data storage device at the firstdata center to a data storage device at the second data center, andexecutable code that configures data mirroring relationships to providefor an asynchronous data mirror from the data storage device at thefirst data center to a data storage device at the third data center,wherein writes begun at the first data center after a first time andbefore a second time are associated with a first chunk of data andwrites begun after the second time are associated with a second chunk ofdata different from the first chunk of data and wherein, aftercompletion of all writes associated with the first chunk of data, datafor writes associated with the first chunk of data is transferred to thethird data center and, in response to receiving a message separate fromthe first and second chunks of data indicating the transfer of the firstchunk of data is complete from the first data center to the third datacenter, the data storage device at the third data center stores the datawrites associated with the first chunk of data.
 18. A triangularasynchronous replication system, according to claim 17, wherein thesoftware also includes executable code that initiates synchronization ofa data storage device at the first data center with the data storagedevice temporarily hosting the primary group.
 19. A triangularasynchronous replication system, according to claim 18, wherein thesoftware also includes executable code that completes pending data writeoperations associated with an asynchronous data mirror used by the datastorage device temporarily hosting the primary group prior to initiatingsynchronization.
 20. A triangular asynchronous replication system,according to claim 18, wherein work is resumed at the first data centerfollowing completion of the synchronization.
 21. A triangularasynchronous replication system, according to claim 17, wherein thesoftware also includes executable code that initiates multisessioncontrol at the first data center prior to resuming work at the firstdata center.
 22. A triangular asynchronous replication system, accordingto claim 17, wherein the software also includes executable code thatsynchronizes the data storage device at the first data center with thedata storage device at the second data center following intermittentfailure of a link between the first data center and the second datacenter.
 23. A triangular asynchronous replication system, according toclaim 17, wherein the software also includes executable code thatprovides local copies of the data storage device at the second datacenter and the data storage device at the third data center andinitiating transfer of synchronizing data from the data storage deviceat the first data center to the data storage device at the third datacenter following intermittent failure of a link between the first datacenter and the third data center.
 24. A triangular asynchronousreplication system, according to claim 23, wherein the software alsoincludes executable code that waits for synchronization between the datastorage device at the first data center with the data storage device atthe third data center prior to resuming work at the first data center.